AUTHENTICATED 
US. GOVERNMENT 
INFORMATION ^ 


S. Hrg. 113-583 

CYBERSECURITY: ENHANCING COORDINATION TO 
PROTECT THE FINANCIAL SECTOR 


HEARING 

BEFORE THE 

COMMITTEE ON 

BANKING, HOUSING, AND URBAN AFFAIRS 
UNITED STATES SENATE 

ONE HUNDRED THIRTEENTH CONGRESS 
SECOND SESSION 
ON 

EXAMINING THE COORDINATION AND INFORMATION SHARING BE- 
TWEEN THE FINANCIAL SERVICES INDUSTRY AND THE SECRET SERV- 
ICE, DEPARTMENT OF HOMELAND SECURITY, FEDERAL BUREAU OF 
INVESTIGATION, THE TREASURY DEPARTMENT, THE FEDERAL FINAN- 
CIAL INSTITUTIONS EXAMINATION COUNCIL, FEDERAL REGULATORY 
AGENCIES, AND LAW ENFORCEMENT IN IDENTIFYING, MONITORING, 
AND RESPONDING TO CYBERTHREATS 


DECEMBER 10, 2014 


Printed for the use of the Committee on Banking, Housing, and Urban Affairs 



Available at: http://www.fdsys.gov/ 


U.S. GOVERNMENT PUBLISHING OFFICE 
93-566 PDF WASHINGTON : 2016 


For sale by the Superintendent of Documents, U.S. Government Publishing Office 
Internet: hookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 
Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 


COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS 


TIM JOHNSON, 
JACK REED, Rhode Island 
CHARLES E. SCHUMER, New York 
ROBERT MENENDEZ, New Jersey 
SHERROD BROWN, Ohio 
JON TESTER, Montana 
MARK R. WARNER, Virginia 
JEFF MERKLEY, Oregon 
KAY HAGAN, North Carolina 
JOE MANCHIN III, West Virginia 
ELIZABETH WARREN, Massachusetts 
HEIDI HEITKAMP, North Dakota 


South Dakota, Chairman 
MIKE CRAPO, Idaho 
RICHARD C. SHELBY, Alabama 
BOB CORKER, Tennessee 
DAVID VITTER, Louisiana 
MIKE JOHANNS, Nebraska 
PATRICK J. TOOMEY, Pennsylvania 
MARK KIRK, Illinois 
JERRY MORAN, Kansas 
TOM COBURN, Oklahoma 
DEAN HELLER, Nevada 


Charles Yi, Staff Director 
Gregg Richard, Republican Staff Director 

Laura Swanson, Deputy Staff Director 
Jeanette Quick, Counsel 
Phil Rudd, Legislative Assistant 

Greg Dean, Republican Chief Counsel 
Jared Sawyer, Republican Counsel 
Travis Hill, Republican Counsel 

Dawn Ratliff, Chief Clerk 
Troy Cornell, Hearing Clerk 
Shelvin Simmons, IT Director 
Jason T. Parker, GPO Detailee 
Jim Crowell, Editor 


(II) 



CONTENTS 


WEDNESDAY, DECEMBER 10, 2014 

Page 

Opening statement of Chairman Johnson 1 

Opening statements, comments, or prepared statements of: 

Senator Crapo 2 

WITNESSES 

Brian Peretti, Director for the Office of Critical Infrastructure Protection 

and Compliance Policy, Department of the Treasury 4 

Prepared statement 26 

Responses to written questions of: 

Senator Crapo 48 

Senator Menendez 49 

Senator Warner 51 

Phyllis Schneck, Deputy Under Secretary for Cybersecurity and Communica- 
tions, National Protection and Programs Directorate, Department of Home- 
land Security 6 

Prepared statement 29 

Responses to written questions of: 

Senator Crapo 53 

Senator Menendez 58 

Senator Warner 59 

Valerie Abend, Senior Critical Infrastructure Officer, Office of the Comp- 
troller of the Currency 8 

Prepared statement 33 

Responses to written questions of: 

Senator Crapo 64 

Senator Menendez 66 

Senator Warner 70 

William Noonan, Deputy Special Agent in Charge, Cyber Operations Branch, 

Criminal Investigative Division, Secret Service 10 

Prepared statement 39 

Responses to written questions of: 

Senator Crapo 75 

Senator Warner 76 

Joseph M. Demarest, Jr., Assistant Director, Cyber Division, Federal Bureau 

of Investigation, Department of Justice 11 

Prepared statement 41 

Additional Material Supplied for the Record 

Letter to Agencies submitted by Chairman Johnson and Senator Crapo 79 

Letter of response submitted by Joint Agencies 81 

Letter of response submitted by the Department of the Treasury 83 

Letter of response submitted by Federal Deposit Insurance Corporation 85 

Letter of response submitted by the National Credit Union Administration 91 

Letter of response submitted by the Board of Governors of the Federal Re- 
serve System 97 

Letter of response submitted by the Office of the Comptroller of the Currency 102 

Letter to the Conference of State Bank Supervisors submitted by Chairman 

Johnson and Senator Crapo 109 

Letter of response submitted by the Conference of State Bank Supervisors Ill 


(HI) 



IV 


Page 

Statement submitted by the National Association of Federal Credit Unions .... 121 

Statement submitted by the Securities Industry and Financial Markets 

Association 123 

Statement submitted by the Independent Community Bankers of America 130 

Protecting Merchant Point of Sale Systems During the Holiday Season 132 



CYBERSECURITY: ENHANCING COORDINA- 

TION TO PROTECT THE FINANCIAL SECTOR 


WEDNESDAY, DECEMBER 10, 2014 

U.S. Senate, 

Committee on Banking, Housing, and Urban Affairs, 

Washington, DC. 

The Committee met at 10:04 a.m., in room SD-538, Dirksen Sen- 
ate Office Building, Hon. Tim Johnson, Chairman of the Com- 
mittee, presiding. 

OPENING STATEMENT OF CHAIRMAN TIM JOHNSON 

Chairman JOHNSON. I call this hearing to order. 

For my last hearing as Banking Committee Chairman, I am fo- 
cusing on an issue that will require action in the next Congress 
and b^eyond. Responsible management of cyber-risks by financial 
institutions is important for consumer protection, financial sta- 
bility, privacy, and national security. Not only are financial institu- 
tions frequent targets of cybercrime, they are uniquely inter- 
connected with major sectors of the economy. Cyber attacks may 
cause damage to the financial system without directly attacking a 
bank, including through third-party providers. 

Earlier this year, I held a hearing on the role of financial regu- 
lators in ensuring that institutions protect consumer information. 
Since then, we have seen one of the biggest data breaches in his- 
tory at JPMorgan. We must ensure that consumers have confidence 
in the financial system and that hard work is done by industry and 
Government together to prevent data breaches before they occur 
and respond quickly and in coordination when breaches do occur. 

However, data breach is only one piece of the cybersecurity puz- 
zle. That is why Ranking Member Crapo and I asked Federal and 
State banking regulators and Treasury to provide information 
about each agency’s protection of our financial system from cyber 
attacks. I am entering each agency’s response into the record and 
I expect that regulators continue vigilance on cybersecurity. 

Safeguarding cyberspace has become increasingly complex as our 
lives become more entwined with technology. Technological innova- 
tion in financial services, such as mobile payments, peer-to-peer 
lending, and cloud computing can facilitate improvements in the 
consumer experience and economic growth. However, these innova- 
tions highlight the crucial need for sound cybersecurity policy, as 
many of these products are outside of the regulated financial sec- 
tor. 

I have asked today’s witnesses to discuss each of their roles in 
responding to cyberthreats and how to improve information shar- 

( 1 ) 
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ing. Law enforcement, the intelligence community, Treasury, and 
financial regulators each may have different missions, but in ad- 
dressing cybersecurity concerns, they all must be united in what 
some call a whole Government approach. I look forward to hearing 
more about cross-sector risks to the financial system, challenges 
facing small financial institutions, and how effective your partner- 
ships with the private sector have been in improving cybersecurity 
practices. 

Cybersecurity is one of the most important issues facing the fi- 
nancial system. I urge all of the witnesses today, as well as policy- 
makers in the next Congress, to act quickly to address cybersecu- 
rity concerns. 

Before I turn to Ranking Member Crapo for the last time, I want 
to say one more time to him and his staff, thank you for being such 
good partners as we sought to run our Committee in a civil, bipar- 
tisan way. To my other colleagues on this Committee, it has been 
a pleasure working with all of you over the many years. 

I now turn to Senator Crapo for his opening statement. 

STATEMENT OF SENATOR MIKE CRAPO 

Senator Crapo. Thank you, Mr. Chairman, and I appreciate your 
kind remarks. I share the same feelings that you have indicated 
with regard to not only our work together, but our staff, and I have 
developed great friendships with all of you. I appreciate that. 

This morning, we are holding what may be the final Banking 
Committee hearing that will be chaired by you, and I just have to 
reiterate what a pleasure it has been to work with you. You and 
I do have a great working relationship and it has been a privilege 
to serve with you in the past in a number of contexts, but in this 
Congress as Chairman and Ranking Member, and I wish you the 
best of luck in the future. 

Chairman JOHNSON. Thank you. 

Senator Crapo. Today, we have gathered to discuss cybersecurity 
in the financial sector. A “60 Minutes” segment that aired last 
week called 2014 the Year of the Data Breach. One recent study 
estimated that 60 percent of companies overall have experienced a 
breach in the last 2 years. This includes a number of high-profile 
breaches in which hackers have stolen personal and financial infor- 
mation from millions of consumers. 

These breaches can result in frustrating experiences for con- 
sumers, including obtaining new credit or debit cards, monitoring 
accounts for fraudulent activity, and the disruption of 
preauthorized payments. Additionally, financial institutions, espe- 
cially community banks and credit unions, face significant costs in 
reissuing cards and covering losses. The financial sector itself is 
also a primary target for hackers, because, as some have pointed 
out, that is where the money is. The largest banks are under con- 
stant attack, every day, and spent hundreds of millions of dollars 
per year on cyber defense. 

What many may not realize is that the cost of defending against 
cyber attacks is remarkably disproportionate compared to the cost 
of attacking. Hackers can purchase tools to exploit vulnerabilities 
for just a few hundred dollars, while firms must spend upwards of 
a million dollars or more to defend against specific cyber attacks. 
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The costs and burdens on smaller financial institutions to defend 
against attacks can be enormous. 

JPMorgan Chase, the Nation’s largest bank by assets, was at- 
tacked this summer when hackers stole personal information from 
76 million households and seven million small businesses. While 
this is certainly concerning, I am encouraged that despite spending 
weeks inside JPMorgan’s system, the criminals reportedly were un- 
able to steal any financial account information. 

Maintaining a strong perimeter defense is one essential compo- 
nent of cybersecurity. Minimizing damage if hackers get inside is 
another. 

The impact of a major cyber attack against our financial system 
would be dire. In the words of Secretary Lew, successful attacks on 
our financial system would compromise market confidence, jeop- 
ardize the integrity of the data, and pose a threat to financial secu- 
rity. 

Many of your agencies have made cybersecurity a priority and I 
applaud you for that. In addition, the financial industry has de- 
voted substantial resources to protecting its information systems 
and is widely viewed as one of the most advanced sectors in terms 
of prioritizing cybersecurity. Today, I hope to learn more about how 
the Federal Government is partnering with industry to ensure that 
our financial system is protected from cyberthreats. What is the 
Government’s process for obtaining threat information and deliv- 
ering it to the private sector? How can we improve this process to 
get the information where it needs to go more quickly? 

It is good that cybersecurity is getting attention from so many 
different agencies and offices and working groups. While positive 
steps are being taken, we must be sure that the process has not 
become so complicated that it slows down the outflow of informa- 
tion and hinders coordination. Law enforcement, the Departments 
of Treasury and Homeland Security, and intelligence community, 
and banking regulators must all work together effectively to maxi- 
mize the speed of information sharing and to minimize the risk of 
damage from cyber attacks. 

I hope to learn, also, about the work being done by the FFIEC’s 
Cybersecurity Working Group and how that will inform exam pro- 
cedures and policies moving forward. 

Thank you, Mr. Chairman, for holding this hearing, and I look 
forward to hearing the testimony of each of our witnesses today. 

Chairman JOHNSON. Thank you. Senator Crapo. 

Are there any other Members who would like to give a brief 
opening statement? 

[No response.] 

Chairman JOHNSON. I would like to remind my colleagues that 
the record will be open for the next 7 days for additional state- 
ments and any other materials you would like to submit. 

Now, I will introduce our witnesses. Brian Peretti is Director for 
the Office of Critical Infrastructure Protection and compliance Pol- 
icy at the U.S. Department of the Treasury. 

Phyllis Schneck is Deputy Under Secretary for Cybersecurity and 
Communications for the National Protection and Programs Direc- 
torate at the Department of Homeland Security. 
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Valerie Abend is the Senior Critical Infrastructure Officer for the 
Office of the Comptroller of the Currency. 

William Noonan is Deputy Special Agent in Charge of the Cyber 
Operations Branch of the Secret Service’s Criminal Investigative 
Division. 

Joseph Demarest, Jr., is Assistant Director of the Cyber Division 
at the Federal Bureau of Investigation. 

I would like to ask the witnesses to please keep your remarks to 
5 minutes. Your full written statements will be included in the 
hearing record. 

Mr. Peretti, you may begin your testimony. 

STATEMENT OF BRIAN PERETTI, DIRECTOR FOR THE OFFICE 

OF CRITICAL INFRASTRUCTURE PROTECTION AND COMPLI- 
ANCE POLICY, DEPARTMENT OF THE TREASURY 

Mr. Peretti. Chairman Johnson, Ranking Member Crapo, and 
distinguished Members of the Committee, it is my pleasure to ap- 
pear before you today to discuss cybersecurity of the financial sec- 
tor. As Director of Treasury’s Office of Critical Infrastructure Pro- 
tection and Compliance Policy, my role is to support the security 
and resiliency of the critical virtual and physical infrastructures 
that enable financial sector operations. Cybersecurity has been a 
central focus of our office for several years. 

Before I begin, I would like to thank the Committee for focusing 
attention on this critical issue. At all levels. Government and the 
financial sector have taken significant steps in recent years to en- 
hance information sharing of processes, improve baseline security 
at firms, and develop and test processes for responding to and re- 
covering from incidents. More work is needed, however, and discus- 
sions like this can help advance the whole-of-Nation-collaborative 
effort that is needed to respond to these very complex challenges. 

Helping to protect financial sector critical infrastructure from 
physical and virtual threats is an integral component of Treasury’s 
leadership in financial affairs domestically and globally. Presi- 
dential Policy Directive 21 was created in 2013 to advance a na- 
tional unity of effort to strengthen and maintain secure, func- 
tioning, and resilient critical infrastructure. This Directive reaf- 
firms Treasury’s role as the sector-specific agency for financial 
services, recognizing its financial services expertise and the value 
of its day to day engagement with financial institutions in building 
and enhancing security and resiliency partnerships. 

PPD-21, along with the President’s 2013 Executive Order on cy- 
bersecurity, forms the basis for Treasury’s mission to protect crit- 
ical infrastructure from cyber incidents. This work depends on 
strong partnerships with others in Government and industry. To 
focus our work, we collaborate closely with other Government agen- 
cies and the private sector. To coordinate with Government, we 
chair the Financial and Banking Information Infrastructure Com- 
mittee, a committee of 18 Federal and State regulators, and partici- 
pate in interagency discussions chaired by the White House. To co- 
ordinate with the sector, we work with the Financial Services Sec- 
tor Coordinating Council, which brings together private-sector in- 
stitutions, trade associations, and individual firms to discuss secu- 
rity and resiliency policy. 
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Now that I have described who we work with, I would like to 
spend the remainder of my time today talking specifically about the 
substantial outcomes of our work. 

First, I would like to highlight our work to promote cybersecurity 
information sharing. Sharing technical and strategic information 
about cyber instances and threats is one of the most effective tools 
that the Government has to support the mitigation of cyber in- 
stances and improve the operational resilience of the financial sec- 
tor. In order to ensure that the sector receives the best information 
from all Government sources. Treasury works closely with other 
agencies to identify and declassify information that may be of use 
to private-sector firms. To this end, I have established a team with- 
in my office, the Financial Sector Cyber Intelligence Group, which 
works with the interagency and private-sector partners to provide 
timely and actionable information, including threat indicators, to 
the financial services sector. 

The financial services sector has invested significant resources in 
developing robust information-sharing mechanisms, primarily 
through the FS-ISAC. This information sharing and analysis cen- 
ter is a model for what can be accomplished by the private sector, 
and we in Government should look further to encourage the growth 
of the FS-ISAC and ISACs in other sectors. 

The President’s Executive Order 13636 called for NIST to de- 
velop a framework that would reduce cyber-risks to critical infra- 
structure. Treasury has worked closely with the financial sector re- 
garding how this sector could provide input into the framework. 
Today, the NIST Cybersecurity Framework is a voluntary blueprint 
that firms of all sizes can use to evaluate, maintain, and improve 
the resilience of their computer systems and reduce cyber-risk. 

Treasury continues to encourage financial service firms to utilize 
the framework, including by holding business partners, suppliers, 
and customers accountable to the risk management approach. In 
particular, efforts by SIFMA by develop auditable standards of the 
framework may be beneficial in supporting broad adoption of best 
practices. 

Finally, to improve incident management. Treasury believes the 
roles and responsibilities for different entities must be more clearly 
defined and regularly tested and refined. In order to prepare for cy- 
bersecurity instances. Government agencies and private-sector enti- 
ties must work together to develop and refine response protocols 
that clearly delineate roles and responsibilities. 

Similarly, exercises are necessary to improve incident plans and 
develop muscle memory in the organizations with the personnel re- 
sponsible for managing the incidences. Treasury has partnered 
with DHS and the FSSCC to develop an exercise program focused 
on the financial services sector. The first joint exercise in this pro- 
gram was held yesterday. By continuing to hold these exercises and 
smaller drills along the way, we can collectively hone preparedness 
and continually improve response mechanisms. 

In conclusion, while significant progress has been made to im- 
prove financial sector cybersecurity, we know there is more work 
to be done. We continue to hold ongoing discussions with our Gov- 
ernment and private-sector partners to identify and build a more 
secure and resilient financial sector. As these efforts progress, we 
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will work with senior policymakers to determine the hest course of 
action to address these issues as they are identified. 

I thank you for focusing on this issue and will be happy to take 
your questions. 

Chairman JOHNSON. Thank you. 

Dr. Schneck, please proceed with your testimony. 

STATEMENT OF PHYLLIS SCHNECK, DEPUTY UNDER SEC- 
RETARY FOR CYBERSECURITY AND COMMUNICATIONS, NA- 
TIONAL PROTECTION AND PROGRAMS DIRECTORATE, DE- 
PARTMENT OF HOMELAND SECURITY 

Ms. Schneck. Good morning, Chairman Johnson, Ranking Mem- 
ber Crapo, and distinguished Members of the Committee. I am very 
pleased to be here today to talk with you about the role of DHS 
in cybersecurity, the way we work with these critical issues with 
the financial sector. 

Secretary Johnson always reminds us that cybersecurity is a part 
of homeland security, and we are fortunate within the Department 
of Homeland Security to not only have where I am, with the Na- 
tional Protection and Programs Directorate, a non-law enforcement 
piece focused on the protection and resilience of critical infrastruc- 
ture, which includes cybersecurity and communications, but also 
law enforcement with Homeland Security Investigations as well as 
the U.S. Secret Service, some of the finest law enforcement inves- 
tigators on the planet for financial crimes. 

So, I speak with you today from the National Protection and Pro- 
grams Directorate on the non-law enforcement side and the role 
that we play. If you look at our National Cyber security and Com- 
munications Integration Center, which I will call the NCCIC, that 
is the core of cyber awareness, information coming in from victims, 
from partners, from vendors, from all of our interagency partners, 
whether it is the FBI, the intelligence community, from our in- 
house law enforcement, from Secret Service, from Homeland Secu- 
rity Investigations, all of our private-sector partners, all the State 
and local. 

Twenty-four-seven, all this information is coming in. We see 
something, say something. Just like the aviation industry, we learn 
from every event, whether people go out and help somebody stay 
online, we learn from that and it protects everybody else, or wheth- 
er the programs we have to protect the Government in, as you said, 
perimeter defense, those collect data with the full collaboration 
with privacy and civil liberties. We collect as much data as we are 
allowed to understand, just as weather forecasters do, what we 
need to do to have information propagated ahead to protect the 
next victim. We do that for Government and private sector, as our 
programs look at perimeter defense for Government agencies as 
well as internal, and we are also able to protect private sector with 
Government data. 

We also house the United States Computer Emergency Readiness 
Team, or the U.S.-CERT, people that get on airplanes to keep peo- 
ple online, fix and respond. Our role is to respond and mitigate 
cyberthreat, make sure people stay online, whether it is systems 
that keep the lights on, the water running, or cyber systems in 
general. We also have the Industrial Control System CERT housed 
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in Idaho Falls which looks at those very control systems that do 
keep physical infrastructure alive. So, those electronic systems that 
can he breached and are being targeted, keeping those online. 

If we look at what is important here, it is speed. Our adversary 
enjoys an agility that we do not have. My background is in high- 
performance computing and cryptography, but also really looking 
at how you build intelligence and situational awareness, and it was 
my job at my previous company, a large cyber provider, to do the 
information sharing and to lead for the company when we shared 
information with Government and law enforcement. And, I learned 
there this is a very complex issue and what we can do to help build 
resilience and help change the profit model for the adversary and 
make that much smaller, make this not worth their time, is to 
mitigate faster. This is about speed. 

And, the way we can balance that is if the NCCIC and our abil- 
ity to respond as a Government, as a whole of Government, if you 
use the civilian non-law enforcement side to ingest the cyber activ- 
ity, as we are doing, and the first place to report, we can then 
begin the mitigation while people work with their lawyers to figure 
out how to work with law enforcement. They are equally important. 
We must prosecute bad guys, but we also have to make sure that 
we do not waste time in the middle with the lawyers on the law 
enforcement side so the companies can work with them and have 
that understood. We have to make sure we are already mitigating 
in real time. 

So, the financial sector has done a lot of work to help us use real 
time, as they call it, or machine time protocols, faster than the at- 
tacks, to help networks be smarter about what is coming to them. 
Those can already be working while law enforcement is then decid- 
ing how they want to prosecute the case, because we want that ci- 
vilian non-law enforcement reporting. Then we fan out all the data 
to the Secret Service, Homeland Security Investigation, FBI, intel- 
ligence community, and vendor partners that sit within the 
NCCIC. 

But, we have already started the mitigation, and it is this very 
speed that the FISMA modernization will help us to achieve, as 
well, helping us to clarify in statute the authority that we have to 
defend these networks and ensure that that, again, that mitigation 
has already started. And, I do thank the Senate for passing a 
version of this bill that could help us get there. 

I also want to point out what is important in our vision is the 
situational awareness, understand what is happening right now in 
cybersecurity, collect that data, work with private-sector partners, 
work with the financial sector, leverage the great work that this 
sector has build in trust, in automated machine-to-machine com- 
munication, in getting to the bottom of legal issues so that we can 
all talk and, again, enjoy the agility that usually the adversary 
only enjoys and enable this to work cross-sector. And, to do that, 
we also have to get to the small to medium business and use that 
Executive Order 13636 and our voluntary framework to enable best 
practices in cybersecurity to then enable all of this information 
sharing to get to those companies, as well, so that we can learn 
from them. 
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In conclusion, we need to continue the great work that the finan- 
cial sector has done such a tremendous job on with us as a whole 
of Government, and I look forward to more partnership and to any 
questions you may ask. 

Chairman JOHNSON. Thank you. 

Ms. Abend, please proceed with your testimony. 

STATEMENT OF VALERIE ABEND, SENIOR CRITICAL INFRA- 
STRUCTURE OFFICER, OFFICE OF THE COMPTROLLER OF 

THE CURRENCY 

Ms. Abend. Chairman Johnson, Ranking Member Crapo, and 
Members of the Committee, I am pleased to be here today to dis- 
cuss the important issue of cybersecurity and what the OCC and 
the Federal Financial Institutions Examination Council has been 
doing to address cyberthreats and vulnerabilities. These efforts in- 
clude information sharing for the benefit of the banking industry, 
regulatory community, and the financial system overall. 

But, first, I want to thank Chairman Johnson for his many years 
of leadership in the financial services arena and wishing him well 
in his future endeavors. 

There are few issues more important to the OCC and to our 
country’s economic and national security than the risks posed to fi- 
nancial institutions by cyber attacks. We live in a world of rapidly 
evolving technology in which consumers store information in the 
cloud, pay bills with their computers, and use their cell phones to 
make purchases at the mall. However, these conveniences have 
also introduced new vulnerabilities into the financial system, mak- 
ing it more difficult to protect financial institutions and customer 
information from cyber attacks. 

As risks evolve, financial institutions must adapt. Our job as reg- 
ulators is to ensure that institutions we supervise do everything 
possible to identify and manage vulnerabilities to these 
cyberthreats and our ability to response. 

To meet that objective, the OCC’s supervisory framework in- 
cludes ongoing monitoring and information sharing with other reg- 
ulators, Government agencies, and banks regarding emerging 
threats and changes to the risk landscape. It also includes develop- 
ment and continual refinement of standards and guidance that set 
forth our expectations as to how banks should safeguard their sys- 
tems and their customers’ information, including at their third- 
party service providers. 

To complement these efforts, we are committed to maintaining a 
cadre of highly trained IT examiners. While all OCC examiners re- 
ceive training on information technology risk management, we also 
cultivate examiners with specialized skills and experience to focus 
on the evolving information security and other technology risks in 
bank operations. Our examiners assess bank compliance with our 
supervisory expectations to ensure that they are appropriately 
managing risk, and when necessary, directing them to take correc- 
tive action. 

Comptroller of the Currency Tom Curry chairs the FFIEC, and 
one of the Council’s top priorities is to strengthen the resilience of 
regulated institutions to cyber attacks. Under the Comptroller’s 
leadership, the FFIEC created the Cybersecurity and Critical Infra- 
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structure Working Group. The Working Group helps the FFIEC 
memhers collaborate on cyber-related examination policy, training 
programs, coordination of responses to cybersecurity incidents, and 
information sharing and awareness efforts. 

The Working Group has been quite active since its inception. In 
addition to sponsoring awareness and training webinars, it has 
drafted statements advising financial institutions about the variety 
of specific threats and vulnerabilities, including the Heartbleed and 
Shellshock vulnerabilities and attacks on ATMs. 

The FFIEC, on behalf of its members, also recommended that all 
institutions join the Financial Services Information Sharing and 
Analysis Center, a public-private partnership which provides infor- 
mation about current threats and vulnerabilities. 

A major initiative of the Working Group was to pilot a cybersecu- 
rity examination work program at more than 500 community insti- 
tutions. This cybersecurity assessment evaluated the operating en- 
vironment for each institution and assessed its overall level of pre- 
paredness. The results of the assessment will help FFIEC members 
make informed decisions about how they prioritize actions to en- 
hance the effectiveness of cybersecurity-related supervisory pro- 
grams, guidance, and examiner training. The results are summa- 
rized in a General Observations document that provides observa- 
tions and questions that banks, boards of directors, and CEOs 
should consider when assessing their cybersecurity preparedness. 

The Comptroller has emphasized the importance of communica- 
tion, collaboration, cooperation in all aspects of our mission, but no- 
where is communication and collaboration more important than in 
the realm of cybersecurity, where the threats transcend agency ju- 
risdictions and industry boundaries. The OCC is an active member 
of several information-sharing bodies. We also recognize the impor- 
tance of maintaining relationships with law enforcement and intel- 
ligence communities to share information through open lines of 
communication. We use information-sharing forums, relationships 
with Government agencies, and information from our exams to in- 
form our supervision. 

Finally, the recent breaches at large retailers highlight the need 
for improved cybersecurity for merchants. When breaches occur in 
merchant systems, we believe that merchants should contribute to 
efforts to make affected consumers whole so that banks, particu- 
larly community institutions, do not disproportionately shoulder 
the cost. Additionally, financial institutions share dependencies 
with other sectors, such as telecommunications and energy, and as 
such, we support efforts to ensure commensurate standards for 
those important critical infrastructures. 

In closing, we are committed to refining our supervisory proc- 
esses and to participating in a range of information-sharing forums 
to keep abreast of and respond to cyberthreats. Combating threats 
and protecting our economic security requires the Government and 
industry to work together for the good of consumers, the industry, 
and the entire financial services sector. 

Thank you, and I would be happy to answer your questions. 

Chairman JOHNSON. Thank you. 

Mr. Noonan, please proceed with your testimony. 
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STATEMENT OF WILLIAM NOONAN, DEPUTY SPECIAL AGENT 

IN CHARGE, CYBER OPERATIONS BRANCH, CRIMINAL INVES- 
TIGATIVE DIVISION, SECRET SERVICE 

Mr. Noonan. Good morning, Chairman Johnson, Ranking Mem- 
ber Crapo, and distinguished Members of the Committee. Thank 
you for the opportunity to testify with interagency partners regard- 
ing the ongoing threat of cybercrime to our Nation’s financial serv- 
ices sector. 

Chairman Johnson, while the Secret Service has only testified a 
handful of times before this Committee in recent years, we all ap- 
preciate the work you have done on behalf of American consumers 
and the financial services industry. We wish you the best in retire- 
ment. 

The founding mission of the Secret Service is to protect our Na- 
tion’s financial payment system from malicious activity. As it has 
evolved from paper to plastic to now digital information, so, too, 
has the Secret Service’s investigative mission. Today, financial 
transactions of all types depend heavily on information technology. 
As such, criminals motivated by greed have adapted their methods 
and are increasingly using cyberspace to exploit these systems to 
engage in fraud and other illegal activities. 

The wealth accrued by the world’s most skillful cybercriminals is 
staggering. Some have become multimillionaires through their 
criminal endeavors and are not stopping there. Cyber investigative 
programs are being outpaced by criminals who reinvest their illicit 
proceeds to support their malicious cyber activity. 

Despite substantial investments in cybersecurity by our leading 
financial institutions, we continue to see many fall victim to 
cybercriminals. In considering all the high-profile cyber incidents 
over the last year, it is clear that defense alone is inadequate. 
Proactive law enforcement investigations are essential in Com- 
bating these threats. 

The Secret Service has observed transnational cybercriminals 
who, over the past 10 years, have grown into highly capable adver- 
saries. They command botnets consisting of millions of computers. 
They routinely compromise highly secure computer networks. And, 
they accomplish increasingly profitable operations. Last year, we 
witnessed an unlimited ATM cash-out operation that was unprece- 
dented in scope. The operation involved a cybercriminal organiza- 
tion which stole $40 million in less than 11 hours through a syn- 
chronized effort executed across 24 countries. Rich off the money 
they have stolen from Americans, our Nation faces increasing risk 
that sophisticated cybercriminals may coordinate their unique skill 
sets and apply their combined expertise to conduct cyber attacks 
against our critical infrastructure. 

Achieving a different outcome drives our work at the Secret Serv- 
ice. We focus on proactively investigating the most capable 
cybercriminals. To defeat these transnational groups, we target 
their criminal infrastructure and leaders. For example, last year, 
the Secret Service shut down the digital currency platform Liberty 
Reserve for allegedly running a $6 billion money laundering 
scheme. Prior to its shutdown, the currency had more than 5.5 mil- 
lion user accounts and approximately 55 million transactions. The 
founder of Liberty Reserve, Arthur Budovsky, was extradited from 
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Spain to the United States in October. Mr. Budovsky is among 
seven individuals charged in the indictment. Four other codefend- 
ants pled guilty and are awaiting sentencing. 

In addition, this past year, the Secret Service worked with a key 
law enforcement partner to apprehend one of the primary master- 
minds alleged to be behind a series of unlimited ATM cash-out op- 
erations, including the one I previously mentioned. Since his arrest, 
there has not been another successful operation of this kind. These 
arrests prove that transnational cybercriminals are not beyond the 
reach of U.S. law enforcement. Over the past 5 years, the Secret 
Service arrested nearly 6,000 cybercriminals and prevented nearly 
$12 billion in potential fraud losses. 

The Secret Service actively shares information to disrupt 
cybercriminal schemes. This year, as a result of information discov- 
ered through just one of our ongoing cybercrime investigations, we 
notified over 200 U.S. organizations of cybercriminal activity tar- 
geting their networks. These include retailers, financial institu- 
tions, Government agencies, IT companies, health care providers, 
and military agencies. 

Our work does not stop with victim notification. The Secret Serv- 
ice also widely shares actionable cybersecurity information through 
our close partnerships with the Department of Treasury, the De- 
partment of Justice, and DHS’s National Cybersecurity and Com- 
munications Integration Center. This is in addition to our work 
with industry groups like the FS-ISAC, Financial Services Round- 
table, and the Business Executives for National Security. 

Through the dedicated efforts of our special agents, our Elec- 
tronic Crimes Task Forces, and our public and private-sector part- 
ners, the Secret Service will continue its efforts to counter the 
growing threat posed by cybercriminals. 

Thank you for the opportunity to testify on this important topic, 
and I look forward to your questions. 

Chairman JOHNSON. Thank you. 

Mr. Demarest, please proceed with your testimony. 

STATEMENT OF JOSEPH M. DEMAREST, JR., ASSISTANT DI- 
RECTOR, CYBER DIVISION, FEDERAL BUREAU OF INVES- 
TIGATION, DEPARTMENT OF JUSTICE 

Mr. Demarest. Last, but certainly not least, the FBI. 

[Laughter.] 

Mr. Demarest. Good morning. Ranking Member Crapo and dis- 
tinguished Members of the Committee. And to Chairman Johnson, 
I, and we in the FBI, thank you, sir, for your long and distin- 
guished service to the American people. Thank you, sir. 

I am honored to appear before you today to discuss cyberthreats 
facing our Nation, their relation to the financial sector, and the ef- 
forts the FBI is taking to identify, pursue, and defeat those threats. 
In the course of my testimony this morning, I hope to give you a 
sense of the extent to which today’s cyber actors pose new and in- 
creasingly complex threats to our country and to the financial sec- 
tor specifically, a threat that challenges traditional models of law 
enforcement and the intelligence communities. Today’s cyber ac- 
tors, from Nation-States to criminal groups and individuals, find 
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themselves virtually unconstrained by time, distance, and physical 
location. 

I would like to start with a brief overview of the Cyber Division 
of the FBI. In general, our mission falls into three separate but pri- 
mary buckets. First, we identify the cyber actors perpetrating the 
harm and the role of cybercrime and cyber espionage. This is often 
the most difficult step, as cyberthreats use various methods to at- 
tempt to hide virtually in plain sight. 

Second, we pursue these actors, tracking their activity both on- 
line and off. We utilize collaborative partnerships across the Fed- 
eral Government, with international partners, and certainly with 
industry, along with our unique combination of national security 
and law enforcement authorities to gather intelligence about the 
tactics, techniques, and procedures of these actors. In short, we 
find these threat actors by using a variety of cutting-edge tech- 
niques to locate them no matter where they are on the planet. 

Last, with the aid of partnerships and our unique authorities, we 
defeat the cyber adversaries through a full range of methods, from 
prosecution to disruption, here and abroad. 

As the Members of this Committee are aware, the threat from 
cyber actors continue to advance in sophistication. I would like to 
spend the rest of my brief testimony highlighting a few of the ways 
the FBI, along with our partners here in Government and in orga- 
nizations like the Securities Industry and Financial Markets Asso- 
ciation, SIFMA, the Financial Services Sector Coordinating Coun- 
cil, FSSCC, the Financial Services Information Sharing and Anal- 
ysis Center, FS-ISAC, and the Financial Services Roundtable are 
collaborating with each other and with the private sector to protect 
the Nation and the financial sector, in particular, from 
cyberthreats. 

Specifically, I would like to talk about botnets and the criminal 
underground which harness the power of enormous webs of com- 
puters for malicious purposes and the FBI’s efforts to address them 
through Operation Clean Slate. 

As I speak, since 2001, estimates place the total damages caused 
by botnets at more than $9 billion in losses to U.S. victims and 
over $110 billion in losses worldwide to date. Approximately 500 
million computers are infected globally per year, translating to 18 
victims per second. Botnets are continually used to attack the fi- 
nancial sector through “denial of service” attacks, or DDoS attacks, 
and the FBI has been deeply involved in keeping such attacks from 
inflicting lasting damage. 

Beginning in September of 2012, for example, actors launched 
powerful DDoS attacks from a botnet to target major U.S. banking 
institutions. From March 2013 through July 2014, the FBI con- 
ducted approximately 36 classified threat briefings regarding the 
attacks on private-sector financial institutions and Government 
agencies, including DHS, Department of Treasury, the FDIC, and 
the Federal Reserve. The initial classified briefing held in March 
2013 was attended by over 300 chief information security officers. 
This type of outreach is now the norm for us. We share by rule, 
not exception. Based on imminent threats to the financial sector in 
early 2014, the FBI provided classified threat briefings in March, 
April, and July to a total of 145 financial institutions. 
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Further, the FBI worked closely with DHS to issue a Joint Indi- 
cator Bulletin, or Bulletins, or JIBs, as they are affectionately 
called internally, to the U.S. banks, which included thousands of IP 
addresses that participated in the attacks. Throughout this cam- 
paign, the FBI held significant outreach efforts to brief bank net 
defenders through a series of classified briefings. These briefings, 
conducted by FBI, DHS, and Treasury representatives, provided 
the bank security personnel the context of the DDoS threat and en- 
abled the banks to share best practices with their peers in real 
time. 

To further assist with network defense of botnets, the FBI cre- 
ated a document called the FBI Liaison Alert System Message, or 
FLAS. Through this system, the FBI releases high-confidence data 
to the private sector with indicators and alerts related to computer 
intrusions and DDoS attacks. From April of 2013 through July of 
this year, the FBI disseminated 34 FLAS messages, ab^out 20 of 
which dealt with threats directly focused on the financial sector. 
The FBI disseminated, among other information, indicators for ap- 
proximately 115,000 compromised systems in these messages. 

We at the FBI, in short, are doing everything in our power to 
keep pace with the threat against the financial sector and our Na- 
tion. Our agents, computer scientists and analysts, and profes- 
sional staff are all working hard to outpace the threats on a daily 
basis by identifying, pursuing, and defeating our adversaries wher- 
ever they may be in the world. The FBI and our partners through- 
out the Government have all made significant progress in recent 
years in collaborating within the cyber domain and we look forward 
to working with the Committee and Congress in protecting our Na- 
tion from these evolving threats. 

I thank you again for this opportunity and I look forward to your 
questions. Thank you. 

Chairman Johnson. Thank you all for your testimony. I will now 
ask the clerk to put 5 minutes on the clock for each Member. 

Director Schneck, we have heard that cyber attacks often have 
impacts on more than one critical infrastructure sector. What is 
DHS doing to facilitate information sharing and best practices 
among sectors? Are there other sectors that are particularly impor- 
tant to coordinate with the financial services sector? 

Ms. Schneck. Thank you, sir, and I also regret that my first 
time talking to you in this forum is my last, but thank you 

Chairman JOHNSON. Yes. 

Ms. Schneck. So, a great question. One of the reasons, I believe, 
that we exist in our NCCIC, that National Cybersecurity Coordina- 
tion, Communication, Integration Center, is really to look at how 
we take these attack attempts and how we take the data that we 
see and we take the actual attacks and make sure that not only 
we respond and mitigate quickly, but that we share that informa- 
tion out across sectors, because we are all connected. If we had to 
figure out whether finance was more important than electricity or 
water or gas, we would have a hard time doing that because they 
are all so interdependent, and you also add a complexity that a lot 
of the signaling systems, the electronics that control circuits open- 
ing and closing to make, literally, decisions — whether water comes 
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out of a valve or nuclear or electric — all of that is, in many cases, 
the same equipment across the sectors. 

We work very hard through our Industrial Control Systems 
CERT and our regular computer emergency response teams and 
our interagency partners, our internal partners, everybody, and all 
of the trusted private-sector relationships to gather data and 
science and technology to understand two things. One is, how do 
we bring information in faster, and how do we analyze it, make 
real actionable intelligence out of it, and how do we push it out 
faster. 

So, bringing it in comes from trust and then automated mecha- 
nisms, so people and machines. When machines see something 
wrong behaviorally, they tell us, and this is all designed with pri- 
vacy and civil liberties baked in. The other piece is with people, 
and as we work closely with sectors such as financial industry as 
well as electric and water and all of the others, I think the finance 
sector, and I gave credit earlier, is very important, because they 
had set a standard of the level of trusted relationship going back 
15 years. They have been leaders in this. 

The Financial Services ISAC, Information Sharing and Analysis 
Center, that was mentioned earlier has taken great strides in pro- 
viding ways, free of charge, for others in the private sector and 
Government to attach their software, whatever they may be using, 
to protocols or ways that we can protect other sectors and other 
companies with information that we know in the NCCIC. So, if we 
keep all the information and analyze it and look at trends, just as 
weather forecasters do, our job now is to get it out as quickly as 
possible so that our networks are resilient, and without having 
seen it before, a piece of the network can understand a behavior 
that is wrong, just like your body’s immune system recognizes a 
cold that you may not have had before. And, working with our 
interagency partners and working with trust and advancements 
with the financial sector and others, we make other sectors strong- 
er. 

There are many sectors that are looking at this, as well as State 
and local and small to medium businesses, leveraging outreach 
from the cybersecurity framework. And, we have launched at DHS 
the C-Cubed VP. It is an acronym, of course, but it is the cyber — 
Critical Infrastructure Cybersecurity Community Voluntary Pro- 
gram, and that is a long name for we reach out to everybody that 
will listen to our best practices, that will go to our Web site and 
see how to judge your resilience, and that will take the information 
that we have, either ingest it by machine in real time, or by one 
of the reports that my colleagues have mentioned, or by simply 
calling us up saying that they need help, because the adversary 
moves quickly and with an agility we do not have. 

Chairman JOHNSON. Thank you. 

Ms. Abend, you are Chair of the FFIEC Cybersecurity Working 
Group. Third-party vendors may pose cybersecurity risks to finan- 
cial institutions, particularly smaller institutions. What actions are 
the FFIEC members taking to supervise third-party service pro- 
viders? 

Ms. Abend. Technology service providers serve an important role 
to our institutions, particularly in terms of the largest ones that 
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provide core banking and other critical services to a large number 
of financial institutions, including community institutions. And, as 
such, the FFIEC publishes guidance that our examiners use to 
oversee these institutions, including guidance specifically on the 
oversight of technology service providers. We use some of our most 
talented specialized IT examiners at the OCC to supervise these 
entities jointly with other banking regulatory authorities. 

Chairman Johnson. Mr. Noonan and Mr. Demarest, last year 
around the holidays, we learned that one of the country’s largest 
retailers experienced a massive data breach after Thanksgiving. 
What changes and improvements have been made since last year 
to protect consumers during the holiday season, and how do you 
pursue cybercriminals, and would you characterize your investiga- 
tions as proactive or reactive? Mr. Noonan, let us start with you. 

Mr. Noonan. Yes, sir. Thank you. The Secret Service’s approach 
to going after cybercriminals today is a proactive approach. As we 
dive into our criminal investigations, we utilize a number of dif- 
ferent methods. We look at undercover operations. We have crimi- 
nal sources. We have confidential informants. And, we are also able 
to look at the criminals’ infrastructure and their communications. 
And, in doing so, we are able to see potentially where other victims 
are and make notifications to those companies. 

So, in many of today’s data breaches that are out there, our noti- 
fications are being made to those companies of their potential data 
breach by law enforcement, by the Secret Service. As a result of 
that, we work closely with those companies and we are able to 
draw out important evidence and tactics and trends that the crimi- 
nal adversaries are using against the victim company. When we do 
do that, we take that information and we share that across the in- 
dustry. 

So, just this past year, we increased the amount of information 
that we have put out. Actually, we put out, I think it was eight 
malware initial finding reports, which are new or different strains 
of malware, which we put out to industry to better help them in 
their defenses. In addition to that, we put out seven different in- 
dustry notices that went out to the whole of industry, and we use 
that — we take that information, and we are not just putting that 
out, but our partners at the NCCIC are helping us in dissemi- 
nating that information out to the whole of Government, out to the 
rest of industry, and in doing so, we are helping to fortify and pro- 
tect industry. 

Just this November, on November 7, the FS-ISAC along with the 
Retail Cyber Intelligence Sharing Center and the Secret Service 
put out a document to help the retailers on how to better protect 
themselves with the types of crimes that we saw over the past 
year — point of sale terminal, information theft that were happening 
through infiltration of different networks. And, it is a pretty robust 
product that we put out and I would be willing to share it for the 
record after the hearing. 

Chairman JOHNSON. Mr. Demarest. 

Mr. Demarest. Yes. In exactly the same very proactive or shift- 
ing toward a proactive stance, beyond our similar hair styles. Bill 
and I are very closely fused together today 

[Laughter.] 
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Mr. Demarest. yet, you would find — and we talk about 

major hacks of some of the retailers, too — we are finding great ben- 
efit. And, as Bill mentioned, we each do a great job in that 
proactive stance where we are using undercover operations, source 
operations, or human operations, current tactical coverages. But, 
we in the FBI are able also to bring to that the national security 
authorities. We are able to bring in what we are collecting and 
working with the intelligence community that may have overlap. 
Some of our actors, as you know, may serve by day on their own, 
but may be cooperating with a certain Government Nation or a Na- 
tion-State by evening. 

So, from that standpoint — and, what we provide is, on joint mat- 
ters or separate, is providing those industries or at least the tar- 
geted sector retail threat indicators. If they are focused or they are 
for some reason not following the target of either a Nation-State or 
criminal actors, that information is provided in near real time to 
the targeted company. 

Chairman JOHNSON. Senator Crapo. 

Senator Crapo. Thank you very much, Mr. Chairman. 

Mr. Noonan and Mr. Demarest, one question I have is, as your 
law enforcement agencies in the course of an investigation obtain 
data that is helpful for the victims of the data breach, it is often 
important to share this among institutions, as you have indicated, 
so that other potential victims are alerted and become able to pro- 
tect themselves. But, is there not an issue, also, with regard to 
whether in the process of sharing this data the bad actors are noti- 
fied that they are being investigated or alerted to the possibility 
that they are about to get caught? 

Mr. Noonan. So, I think it is more important for us in law en- 
forcement, obviously, to share information with the infrastructure 
we are talking about. Yes, sir, there is always a risk of the actors 
finding out about an investigation. But, I think it is more impor- 
tant for us together in law enforcement to make that notification 
to industry to be able to better prevent the occurrence from hap- 
pening, or to stop the bleeding, if you will. 

So, take for example Target. Notification was made to Target in 
a rather quick period of time, and I think the exposure on Target 
was only 2 weeks. Had that exposure gone out longer and we not 
made a notification to the industry, and then within 5 days of us 
working with Target, we took those industry, the indicators, and 
we pushed it out to the whole of industry. 

So, I believe law enforcement’s approach of going out and making 
notification, working with potential victim companies, is a critical 
part of the equation in what needs to be done to prevent further 
instances of data breach and others. 

Mr. Demarest. Fully concur. Cost-benefit analysis. So, once we 
do that, we look at what we are doing, those indicators that may 
potentially compromise current collection. We feel more strongly 
about sharing that information and closing down those avenues of 
the actors. The actors. Ranking Member Crapo, you do accurately 
point out they do a lot of research online, so they find these prod- 
ucts that are posted by us, DHS, I will say some of the managed 
cybersecurity firms’ products, the research products that are also 
done. They will do research on those and then change their tactics. 
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But, the idea is to frustrate those adversaries, have them cost more 
in the way of time, resources, and energy to actually devise ways 
to circumvent what we put in place to block them. 

Senator Crapo. Thank you. 

And, Mr. Peretti and Dr. Schneck, the FS-ISAC and the DTCC 
recently launched a new information-sharing platform called Soltra 
Edge, which automates information sharing to send out threat in- 
formation at, as you have said, machine speed rather than human 
speed. And, as I understand it, Soltra uses the STIX language and 
the TAXII distribution method, which are protocols developed 
through DHS-funded projects. As the industry moves forward with 
automated information sharing, are Treasury and DHS able and 
ready to send and receive information at the same speed and in the 
same format as industry? 

Mr. Peretti. So, as we are moving forward — as industry is roll- 
ing out these programs — we are developing our systems to mirror 
that. So, while we are not at the stage yet to be able to share our 
information, we are formatting our information in that method and 
we expect to be able to do that as soon as the private sector is able 
to receive it. 

Senator Crapo. Do you want to add anything. Dr. Schneck? 

Ms. Schneck. I do. This is one of the most exciting things, I 
think, to happen to cybersecurity and information sharing. STIX is 
a way of shipping information and TAXII is a way of — STIX is a 
language, if you will, what fields are we sending, and TAXII is a 
way to do it, and Soltra is kind of like a user interface. And, Treas- 
ury and the financial sector and the FS-ISAC in particular built 
this so that anybody can use it, which all of a sudden hooks all of 
the entities we need to protect with an opportunity to send and re- 
ceive information. So, the wider your aperture in understanding 
what is happening in cyber, the better you can understand how you 
can form a behavior and an analysis of that that might hurt you. 
So, we are learning as we protect, and this is one enabler. 

The other thing on which we are working with Treasury is cyber 
insurance as a potential building — and the exploration of a poten- 
tial market to incentivize even the smallest companies to budget 
for cybersecurity. 

Senator Crapo. Well, thank you. 

Let me just — I just have a few seconds left, but let me follow up 
on that. We have had a lot of discussion here in your testimony and 
in our questions about the flow of information and making sure 
that we communicate at machine speed and so forth, but what in- 
formation are we talking about? What is it that you just described 
as such an exciting development that we are able to see being 
transferred and communicated at machine speed? 

Ms. Schneck. If I may, I will use an example in botnets that was 
raised a moment ago by law enforcement. Botnets are the ability 
for the adversary to lease hundreds of thousands of machines to 
just throw traffic at a network that is not expecting it and literally 
take them offline. 

What we can do with this now is understand, because we see a 
whole world that we are protecting and being connective through 
the efforts of the DHS programs and EINSTEIN and continuous 
diagnostics and mitigation across the Government, enhanced cyber- 
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security services will use that information to protect the private 
sector and now the automation will connect us to everybody else, 
if you will. We can use that intelligence to start to understand 
which machines are generating this traffic. 

And, this is the world I come from in the private sector. This can 
happen in seconds. We can then provide the addresses of those ma- 
chines to the ISPs, as an example, and stop the traffic from getting 
to the organizations that they were targeted to hurt. And, that is 
just one example, and my saying in that in-house is months to mil- 
liseconds. 

So, before, and we still do this through trusted relationships with 
the Secret Service and Homeland Security Investigations and the 
FBI, we call the ISPs and give them the addresses now, or we 
email them. As this takes on, the machines will automatically 
know to block it. 

Senator Crapo. Thank you. 

Mr. Peretti. And, if I can just add on to that for 1 second; and 
what we do is ask the industry in conferences and meetings, what 
kind of information they need to be able to better defend their sys- 
tems. So, instead of us providing information to them that may not 
be actionable based upon the systems they use, we go out and actu- 
ally ask them, what kind of information they need. Usually, what 
they are asking for is IP addresses and malware hashes that they 
can then run through their systems to see if there are any intru- 
sions or malicious activity going on. So, that is the type of informa- 
tion we are going to keep providing and that dynamic feedback loop 
between us and industry is really helping to refine the information 
and the delivery of resources that is more actionable to them to 
help the network defenders to protect themselves. 

Senator Crapo. Thank you. 

Chairman JOHNSON. Senator Warren. 

Senator Warren. Thank you, Mr. Chairman, and since this is 
likely our last hearing of the year, I want to say to Chairman John- 
son and to Ranking Member Crapo, thank you for the very en- 
gaged, very open way that you have run this Committee and given 
us an opportunity to explore so many issues. It has really been ter- 
rific. And, I also want to say on Chairman Johnson’s retirement 
that your leadership has always been knowledgeable, thoughtful, 
principled, and it has been a great honor to serve with you, sir, so 
thank you. 

I want to talk about safety and soundness. In January 2011, Fed- 
eral Reserve Governor Tarullo gave a speech on regulating sys- 
temic risk in our financial institutions and how problems in one fi- 
nancial firm can create risks for overall financial stability. And, I 
was thinking about an example of two banks, JPMorgan and New 
York Mellon, settle all triparty repurchase agreements in the mar- 
ket. One-point-six trillion dollars’ worth of securities are funded by 
triparty repos every day. If a cyber attack disrupted the ability of 
either of those banks to allocate collateral, it could have dev- 
astating consequences for securities firms, for money market, mu- 
tual funds, major banks, even the liquidity of the United States 
Treasury. 

Now, Ms. Abend, this strikes me as a classic safety and sound- 
ness issue. The OCC’s safety and soundness analysis requires you 
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to investigate how sensitive banks are to systemic market risk and 
how exposed each individual institution is to market risk given 
particular products and services that it offers. Then OCC regu- 
lators give the institution a ranking signifying whether it has ade- 
quately addressed each of the risks that are identified. 

So, I want to know whether systemic risk from cybersecurity is 
taken into account in the ranking, and second, whether firms that 
are not prepared are determined, as determined by the OCC, to 
have failed to satisfy the safety and soundness guidelines are then 
treated. 

Ms. Abend. Cybersecurity has been a top priority for the OCC, 
particularly over the last couple of years. 

Senator Warren. No, I appreciate that. You have made that 
clear. 

Ms. Abend. And, in that process, we do look at the risk profile 
of our institutions. As part of the cybersecurity risk assessment, we 
actually looked at various aspects of their cybersecurity inherent 
risk profile, which includes technologies that they use, the products 
and services that they offer, and the connections that they have. 
And, as part of our OCC examination process, we do assign some 
of our most talented IT examiners to be resident on-site at our 
largest institutions. 

Senator Warren. No, I understand that, but the question I was 
asking is whether or not you take this into account in ranking the 
institutions and then holding them accountable as part of your 
safety and soundness analysis. 

Ms. Abend. We do see cybersecurity as a safety and soundness 
issue and we do look at the risk profile of those institutions 

Senator Warren. And you put it into the ranking? 

Ms. Abend. I am not actually the expert who conducts that part 
of the ranking policy, but, what I can say is that we do have a risk- 
based analysis as to how we determine the risks of our institutions 
and the level of resources that they get on-site as resident exams. 

Senator Warren. Well, as we all know here, a future cyber at- 
tack could paralyze the financial sector with devastating con- 
sequences for our economy. No two crises are alike. We want to be 
out in front on this, and I would really like to know that the OCC 
is using this as part of their ranking. 

Let me ask about another issue. When we talk about cyber at- 
tacks that affect our financial institutions, we should remember it 
is not just the institutions themselves who are at risk. There is a 
whole chain of organizations. We have talked a little bit about this. 
There are lots of individuals, institutions that present 
vulnerabilities, from the merchants to the acquirers to the pay- 
ments processors and even to the employees. Forbes reported yes- 
terday that 71 percent of employees in a new survey report having 
access to data they should not see. But, my point is that each and 
every one of these links in the chain of commerce means millions 
of people, potentially, are exposed to financial fraud and theft. 

Last year’s breach at Target, which we have talked about a little 
bit today, made this abundantly clear. We now know that criminals 
used one of Target’s vendors to breach Target’s system by using 
malware to capture credit card and debit card information. In this 
case, there was a single point of failure, one vendor who had com- 
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puters that were authorized to submit billing information to Tar- 
get, that created a breach that affected the entire chain. 

So, Mr. Peretti, how is Treasury monitoring the other entities 
along the chain, from the retail merchants, to the third-party data 
processors and software providers, all the way down the line before 
it gets to the banks, to ensure that they are making the necessary 
investments in cybersecurity? 

Mr. Peretti. So, what Treasury has been doing has been commu- 
nicating with financial firms to be able to highlight this risk within 
the system, to be able to make sure that they are paying attention 
not only to their own internal systems, but to also all their ven- 
dors. One of the ways we have been doing that is to really publicize 
in this cybersecurity framework, which is a framework to be able 
to, first, be able to identify how you are doing cyber security within 
your own organization, but then we have been asking firms to be 
able to use this potentially as a way to be able to look at their out- 
side vendors. Are there 

Senator Warren. I am sorry. So, your monitoring of the chain is 
limited to telling the financial institutions to take a look at the 
chain? Is that what you are saying? 

Mr. Peretti. So, the financial firm’s decisions are based upon a 
risk model in which they look at that. They are able to select their 
vendors based upon the products and services that they need to be 
able to deliver the services to their customers. And, so, we try 

Senator Warren. I think that meant yes. Is that what you were 
saying? 

Mr. Peretti. What we try to do is deliver the information to 
them so that they can make appropriate risk management deter- 
minations as opposed to telling them which vendors they should or 
should not use. 

Senator Warren. Oh, I am not talking about telling them which 
vendors to use. What I am just trying to understand is the process 
by which you are monitoring — the risk comes in all the way up and 
down the chain 

Mr. Peretti. Yes. 

Senator Warren. and we obviously know that now. So, the 

question I was asking about is whether you have any direct moni- 
toring of any part of the chain, and what I think I am hearing you 
say is you are just telling the financial institutions to be sure to 
monitor. 

Mr. Peretti. So, Treasury is not a financial regulator. 

Senator Warren. I understand that. 

Mr. Peretti. We have 17 Federal and State financial regulators 
out there. What we do is provide information to them so that as 
they do their examination process, that could be incorporated into 
their examination procedures going forward. So, we do not go out 
and monitor or survey any of those folks. That is not our role with- 
in the sector. We provide that information to the regulators to be 
able to then use that information within their examination process. 

Senator Warren. Well, I am over my time, but if I can ask just 
one more question, just a little bit here. Dr. Schneck, how much 
risk do retailers pose, and particularly small retailers, particularly 
those who do not have the resources for sophisticated cyber de- 
fense? 
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Ms. SCHNECK. So, thank you. That is a great point, and I would 
ask to expand it to small to medium business in general. 

Senator Warren. Fair enough. Yes. Expand. 

Ms. ScHNECK. So, we think there is a lot of risk, and that is part 
of why, as Mr. Peretti was mentioning, we do leverage this cyberse- 
curity framework, because it was developed by industry and Gov- 
ernment, by scientists from industry with NIST and with DHS, and 
we use those best practices to bring the discussion of cybersecurity 
as a risk equation, because most small to medium businesses, at 
least the last year with whom I have spoken, did not really look 
at cybersecurity as a main part of their risk equation and we are 
trying very hard to change that with these massive outreach pro- 
grams. I have actually gone out West and talked to venture capital- 
ists who start the smallest companies with the best technologies 
and ask them how they could invest tens of millions of dollars in 
intellectual property and not think about how to protect it. 

So, we are trying to change the paradigm of how we focus on cy- 
bersecurity and make it part of how every entity in that chain 
looks at their risk so that the information that Mr. Peretti gets is 
more accurate, and we are using these outreach programs as a way 
to do that, and we are trying to incentivize using cybersecurity 
with tools such as developing a market for cyber insurance and 
working closely with Treasury on that. Other areas look at grants, 
or how do we protect reputation forward, but really making secu- 
rity part of the culture, making it good to share information about 
a breach, because your experience is very common and can protect 
a lot of others and that is the kind of intelligence and galvanization 
that we as a country and community need to do to help Govern- 
ment and industry tackle this and change the profit model for the 
criminals. 

Senator Warren. Well, good. Well, I very much appreciate that 
you are trying to shift the paradigm here. I understand the focus 
on the banks and why that is so important, but we have got to 
harden our security up and down the line, and I think that we can- 
not just make this about the banks. It has got to be the whole 
chain here. So, thank you very much, and thank you, Mr. Chair- 
man. 

Chairman JOHNSON. Senator Schumer. 

Senator Schumer. Well, thank you, Mr. Chairman, and first, I 
would be remiss if not to acknowledge, I guess this will be the last 
hearing, unless we have to have one on TRIA or something — I hope 
not 

[Laughter.] 

Senator Schumer. that you will be chairing the Banking 

Committee. So, I just wanted to take this opportunity to personally 
say how much you will be missed. You have been a great voice of 
reason, a steady tiller on this Committee, and we have done great 
things under your fair and independent chairmanship, and, of 
course, we have become close friends. Last night, I got to say a few 
words, of course, about you at our departing dinner. But, I just 
want to wish you and Barbara all the best. 

And, to my good friend, Mike Crapo, I guess this is your last 
hearing, we hope, as Ranking Member. I imagine you are moving 
on to bigger and better things. 
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Senator Crapo. We are going to see. 

[Laughter.] 

Senator Schumer. But, I want to wish you well. And, just like 
Tim, you have heen fair and open and a wonderful person to work 
with, so thank you. 

Now, I have a couple of — first, to the matter at hand, whether 
it is terrorists looking to cause us harm by wreaking havoc on 
cyber infrastructure, illicit goods being sold over the Internet, or 
sophisticated criminals hacking into systems of our financial and 
retail institutions, cybersecurity has never been more important to 
our safety and economy, and I think it is finally beginning to come 
into the public consciousness. 

A couple of years ago, when a number of chairs here attempted 
to do a cybersecurity bill, there was resistance from industry. They 
did not want to share information about breaches. It was sort of 
like, I thought, almost some of these industry leaders objecting, it 
was sort of when Churchill asked them to turn out the lights. He 
asked Britain to turn out the lights during the Battle of Britain. 
Some people said, “No, I do not want to.” I think those days are 
over. I think that the business community, broadly put, under- 
stands the danger here and is far more willing to cooperate than 
before. And, it is going to become a worse problem before it be- 
comes better, I am afraid. 

So, I have a few questions. First, to any of you, is business much 
more willing to cooperate, to share information about breaches and 
all these kinds of things than they were a year or two ago? Mr. 
Peretti. 

Mr. Peretti. Thank you for that question. We have seen a large 
change within industry to be able to be more forthcoming and open 
with sharing this information. They understand that the key for 
this is not only to share the information with law enforcement and 
the Government, but also with other parties. 

Senator Schumer. Right. 

Mr. Peretti. This really came about during the DDoS attacks 
that started to occur back in 2012 in which financial firms saw that 
they were being attacked, and instead of keeping that information 
to themselves, they actively shared it with other financial institu- 
tions who would potentially be the next one to be attacked. 

Senator Schumer. And, are they willing to share it with law en- 
forcement and the people at Treasury, Homeland Security? Do you 
all agree they are much more willing to share information now 
than before? Does anyone disagree with that? 

Mr. Demarest. We agree, yes. Senator Schumer. Yes, from the 
FBI, and I am sure Secret Service will echo the same, and DHS. 
We find them much more open today to sharing and getting in- 
volved earlier for purposes of whether they want to take something 
to prosecution or criminal or for national security purposes 

Senator Schumer. Right. 

Mr. Demarest. to better defend the Nation. 

Senator Schumer. Sure. 

Mr. Demarest. So, we find them sharing much more readily. 

Senator Schumer. Well, I hope this will yield next year an abil- 
ity to pass some real legislation here. We need legislation. It has 
been stymied, in part because of the business reluctance of re- 
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quired sharing of information, and I just hope we will overcome 
that. 

My next question, I think most of us were shocked at the sophis- 
tication of the breach on Sony. I know that is not a financial firm, 
but could happen, and my question was broader than just Sony. 
Fingers are pointing to North Korea. Now, I do not know what in- 
formation you folks have about that, but my general question is, 
it is sort of surprising that a country like North Korea, which is 
sophisticated in a few areas but not very sophisticated in most, 
would have such an amazing ability to turn a large company into 
a knot. 

How many other countries have this kind of ability? How serious 
is country attacks, cybersecurity not so much on Government facili- 
ties, but on — which we have to worry about seriously, I am very 
worried about those — but on other private entities, whether they be 
in financial, where they could disrupt an economy, or retail, disrupt 
retail, power, whatever else. Could somebody give me a little anal- 
ysis there about how serious country threats are? 

I think we have all been — our awareness of that has been height- 
ened because of the supposed attack by North Korea. I do not know 
what level of proof you can give on that yet, or want to, but I am 
just asking about the country sophistication in doing this, not just 
U.S., Russia, China, which we hear about all the time, but next 
level countries. 

Mr. Demarest. Senator Schumer, I will start. So, I will not touch 
on the attribution piece because we are still working very, very 
hard at that. 

Senator Schumer. Right. I understand. 

Mr. Demarest. I will say it is a model of cooperation with Sony, 
Sony executives, in how this is brought about. The event occurred, 
and within hours, you find teams from the FBI and the interagency 
actually on ground and working with Sony and their managed cy- 
bersecurity provider, for Mandiant. 

The level of sophistication is extremely high, and we can tell 
based on our investigative efforts to date, organized and certainly 
persistent. So — and when we talk about, you know, generally 
speaking, about Nation-States that have this capability, you could 
pick the top three or four off the top of your head that have the 
ability when we talk about computer network attack capability, 
and one predominately out of the Middle East that we are also very 
concerned about. 

Senator Schumer. Yes. 

Mr. Demarest. So, generally speaking, it is of concern, because 
in speaking with, I will say, with Sony and, separately, their man- 
aged cybersecurity provider, the malware that was used would 
have slipped, it probably would have gotten past 90 percent of the 
net defenses that are out there today in private industry, and I 
would challenge to even say Government. 

Senator Schumer. Wow. Does every — so, I know you mentioned 
a big Middle East country, which I would assume is Iran, and you 
do not have to comment. But, what I was asking, is there a next 
level of countries that have almost as sophisticated a level, an abil- 
ity to attack as U.S., China, Russia, Iran? 

Mr. Demarest. So 



24 


Senator Schumer. Because, that was frightening. I think it was 
frightening to people, the specter that it might have been North 
Korea that did this, and said. Lord knows, anyone can do this. 

Mr. Demarest. We have watched countries over the past 2%, 3 
years actually evolve and develop greater capability and skill. 

Senator Schumer. So, this is becoming more and more of a prob- 
lem, and I imagine, and this is Dr. Schneck more than anything 
else, it is a geopolitical problem as well as an economic problem. 

Ms. Schneck. I think it is an everything problem. This is — and 
I am going to take this from a slightly different angle 

Senator Schumer. Sure. 

Ms. Schneck. from a non-law enforcement angle. In our 

world, in the National Cybersecurity and Communications Integra- 
tion Center, and for DHS, the non-law enforcement piece, to pro- 
tect — 

Senator Schumer. Yes. 

Ms. Schneck. everyone and our stakeholders, it — attribution 

is almost a distraction. For us, it is how do we understand — 
malware is simply a set of instructions that have the ability to 
allow me to execute my will on your machine, which means I turn 
your lights out, I kill your machine, I take your business down, 
whatever I want, or I sit there and watch what you do and send 
it out back home and learn what you are doing and resell it. 

What I worry about and what our team worries about is that the 
increasing sophistication is available to anyone. It is really not 
about what country or what about — it is about, how can they ac- 
quire it. It is for sale in the underground. You can get sophisticated 
sets of instructions that will do this, and it is very much like what 
I will call the antibiotic resistant strain. The better we get, and we 
have to get better, but the better the adversaries get 

Senator Schumer. Yes. 

Ms. Schneck. And that is why my push for speed, because the 
one thing they cannot do is behaviorally make the Internet strong- 
er. 

Senator Schumer. In some ways, it is a little like nuclear weap- 
ons. You not only worry that these countries can make them, but 
who they sell them to, which might not be a country. 

Ms. Schneck. Correct. 

Mr. Noonan. Senator Schumer 

Senator Schumer. Does anyone — just one final question, with 
your indulgence, Mr. Chairman, since I am the last one here — and 
I will call on you, Mr. Noonan — but, does anyone doubt the need 
for stronger legislation on this, aside from all the good efforts that 
you are doing? Raise your hand if you think we need legislation of 
some sort. Everybody. Let the record show all hands were raised. 

[Laughter.] 

Senator Schumer. You have the last word, Mr. Noonan. 

Mr. Noonan. I am sorry. Your comments about Nation-State ac- 
tors. I think with the FBI and the Secret Service and the experi- 
ence that we have together on going after a number of the different 
sophisticated criminal groups. Dr. Schneck mentioned how some of 
this information and some of these tactics are available at the 
criminal underground level, too. Just this year, we discovered a 
criminal tool that was available to the criminal underground for 
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the simple price of $3,000 which could DDoS many, many different 
companies, many different countries, if you will, at a huge, huge 
rate. I think it was 36 gigs of DDoS power it would do for a simple 
$3,000 for sale on the criminal underground. So, the complex crimi- 
nal actors that we are looking at that are doing a lot of these intru- 
sions have the skills and the sophistication that far exceed a num- 
ber of different Nation-States, too. So, the criminal threat is a sig- 
nificant threat and it is scary about how much of that technology 
exists today, just for sale on the criminal underground. 

Mr. Demarest. Senator Schumer, we could make you a hacker 
in 30 minutes, based on the tools that are currently available in 
the underground 

Senator Schumer. I refuse the offer. 

[Laughter.] 

Mr. Demarest. Let the record refiect. 

Senator Schumer. I want to show you the phone I use, just in 
case. You may want to revise your remarks here. 

[Laughter.] 

Senator Schumer. Thank you, Mr. Chairman. 

Chairman JOHNSON. Thank you. 

Does Senator Warren or Senator Schumer have a follow-up? 

Senator Schumer. No, thank you. 

Chairman JOHNSON. I want to thank our witnesses for testifying 
today and for all their work on this important issue. 

This hearing is adjourned. 

[Whereupon, at 11:18 a.m., the hearing was adjourned.] 

[Prepared statements, responses to written questions, and addi- 
tional material supplied for the record follow:] 



26 


PREPARED STATEMENT OF BRIAN PERETTI 

Director for the Office of Critical Infrastructure Protection and 
Compliance Policy, Department of the Treasury 

December 10, 2014 

Chairman Johnson, Ranking Member Crapo, and distinguished Members of the 
Committee, it is a pleasure to appear before you today to discuss the cybersecurity 
of the financial sector. As Director of Treasury’s Office of Critical Infrastructure Pro- 
tection and Compliance Policy (OCIP), my role is to support the security and resil- 
iency of the critical virtual and physical infrastructure that enables financial sector 
operations, and cybersecurity has been a central focus of our office for several years. 

Over this time. I’ve seen cybersecurity questions that were once thought of as a 
“back office” information technology issue now take center stage among senior Gov- 
ernment leaders, business executives, and the Nation as a whole. I believe this shift 
reflects the increasingly sophisticated and persistent nature of the cyberthreat, 
which most would say is among the most pressing operational risks that financial 
institutions face today. 

Before I begin, I would like to thank the Committee for focusing attention on this 
critical issue. At all levels. Government and the financial sector have taken signifi- 
cant steps in recent years to enhance information-sharing processes, improve base- 
line security at firms, and develop and test processes for responding to and recov- 
ering from incidents. More work is needed, however, and discussions like this can 
help advance the whole-of-Nation, collaborative effort that is needed to respond to 
these very complex challenges. 

History of Treasury’s Role 

Helping to protect financial sector critical infrastructure from physical and virtual 
threats is an integral component of Treasury’s leadership in financial affairs domes- 
tically and globally. 

In recent decades, and specifically since the publication of Presidential Decision 
Directive (PDD) 63 in 1998, Treasury has served as the lead Executive Branch agen- 
cy liaison with the financial sector for national and homeland security purposes, 
supporting a national effort to assure the security of the United States’ critical in- 
frastructure. Since the early days of this effort, we have recognized that this work 
absolutely cannot be done without strong collaboration with the private sector, who, 
as you know, own and operate the bulk of the infrastructure we are discussing. 
Along these lines, one of Treasury’s early efforts in this space was to support the 
creation and development of the Financial Services Information Sharing and Anal- 
ysis Center (FS-ISAC) in 1999, which continues to be an important focal point for 
cross sector collaboration on these issues. Following the attacks of September 11, 
Treasury established OCIP, was made chair of the newly formed Financial and 
Banking Information Infrastructure Committee (FBIIC), and engaged again with in- 
dustry and Government partners to encourage the establishment of the Financial 
Services Sector Coordinating Council for Critical Infrastructure Protection and 
Homeland Security (FSSCC), which brings together private-sector institutions and 
organizations to discuss security policy. 

Of course the Federal Government sought to reorganize its efforts to protect crit- 
ical infrastructure as a whole following 9/11. This included the creation of the De- 
partment of Homeland Security (DHS) and its central role in supporting critical in- 
frastructure protection across sectors. 

In 2003 Homeland Security Presidential Directive 7 (HSPD-7), superseded PDD- 
63 and further established Treasury’s role as sector liaison by naming Treasury the 
Sector Specific Agency (SSA) for the banking and finance sector. 

Presidential Policy Directive (PPD-21), which revoked HSPD-7, was published in 
2013 to advance a national unity of effort to strengthen and maintain secure, func- 
tioning, and resilient critical infrastructure. PPD-21 reaffirmed Treasury’s role, rec- 
ognizing its sector expertise and day-to-day engagement in building and reinforcing 
the security and resiliency partnership between the public and private sectors. 

At the same time that PPD-21 was published, the President issued Executive 
Order (EO) 13636, which was focused specifically on cybersecurity. EO 13636 sought 
to specifically address the growing cyberthreat to critical infrastructure by enhanc- 
ing partnership with the owners and operators of critical infrastructure to improve 
cybersecurity information sharing and collaboratively develop and implement risk- 
based standards. 

In response to PPD-21 and EO 13636, the Treasury has continued to expand its 
focus on increasing the security and resiliency of the financial services sector. Cy- 
bersecurity now ranks as one of Treasury’s top priorities. 
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Building Partnerships To Reduce Risk 

We at Treasury have found it necessary to coordinate closely with other Govern- 
ment agencies and the private sector in order to keep pace with the growing volume 
and sophistication of cyber attacks. 

In addition to routine one-on-one communications with Federal and State finan- 
cial regulators at the staff- and principal-levels, Treasury coordinates financial sec- 
tor cybersecurity efforts through the FBIIC. This committee of Federal and State 
financial regulators meets monthly. ^ Meeting agenda topics range from removing 
information-sharing impediments and enhancing incident response planning, to dis- 
cussing best practices for cybersecurity policies, procedures, and controls. Between 
meetings, staff work to advance key initiatives, share details of new cyber incidents, 
and disseminate actionable information about those incidents to financial institu- 
tions. 

Given recent threats and incidents, and to sharpen the attention of the financial 
regulators on cybersecurity, last summer, under the leadership of Secretary Lew 
and Deputy Secretary Bloom Raskin, FBIIC launched regular principal-level meet- 
ings of the committee. While staff-level meetings focus on operational and tactical 
issues, the principal-level meetings concentrate on strategic, policy-level issues 
around cybersecurity and other critical infrastructure matters. 

Additionally, Treasury appreciates its collaboration with the Federal Financial In- 
stitutions Examination Council (FFIEC), through which Eederal banking and credit 
union agencies coordinate and share information, and looks forward to continuing 
to work closely with the EFIEC on cybersecurity and other issues. 

To coordinate policy development and shared situational awareness, Treasury 
leadership and staff regularly meet with officials of other cabinet departments, law 
enforcement organizations, and the intelligence community, including the Depart- 
ment of Homeland Security, Federal Bureau of Investigation, the United States Se- 
cret Service, and the National Security Agency. These meetings take place in bilat- 
eral settings as well as various group meetings, including the National Security 
Council Staff led Cyber Interagency Policy Council (IPC). 

Our coordination with the private sector primarily takes place through the FSSCC 
and the FS-ISAC and regional coalitions. Additional coordination occurs through in- 
dividual institutions as well as trade organizations such as the Financial Services 
Roundtable’s BITS division, the American Bankers Association, the Clearing House, 
the Securities Industry and Financial Markets Association (SIFMA), Credit Union 
National Association, the National Association of Federal Credit Unions, and the 
Independent Community Bankers of America. 

Collaborative efforts to respond to cyber-risk also depend on strong partnership 
between the public and private sectors. 

Our coordination efforts between the public and private sector on financial sector 
cybersecurity efforts focus on three areas: 

• Facilitating the sharing of timely, actionable information regarding cyberthreats 
and incidents with a view toward limiting attacks and stopping contagion across 
systems, networks, and institutions; 

• Assisting with effective, prompt response and recovery from cyber incidents to 
reassure the public and protect public and private assets; and 

• Promoting best practices around cybersecurity controls that help operators of fi- 
nancial systems prevent attacks from succeeding and help minimize the damage 
from any successful attacks. 

Information Sharing 

Sharing technical and strategic information about cyber incidents and threats is 
one of the most effective tools that the Government has to support the mitigation 
of cyber incidents and improve the operational resiliency of the financial sector. 

Sharing cybersecurity information is critical to enhance firms’ ability to protect 
their networks and systems from malicious cyber activity, limit the impact of cyber 
incidents that have already occurred, and establish shared awareness of 
cyberthreats so Government and the private sector can respond rapidly to signifi- 
cant incidents. 

The primary challenges that currently exist in information sharing are related to 
growing the network of institutions and Government agencies that contribute to col- 
lective information sharing, increasing the speed of sharing and processing of 
cyberthreat information, improving the value of information by contributing more 


^The 18 committee members include representatives from Treasury, the Federal banking reg- 
ulators, the Federal market regulators, and associations representing State banking, insurance, 
and securities regulators. 
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information derived from classified sources to private-sector companies, and ad- 
dressing legal concerns of private-sector companies that inhibit them from engaging 
in robust information sharing. 

The financial sector has invested significant resources in developing robust infor- 
mation-sharing mechanisms, primarily through the FS-ISAC. This Information 
Sharing and Analysis Center is a model for what can be accomplished by the private 
sector, and we in the Government should look to further encourage the growth of 
the FS-ISAC and ISACs in other sectors. 

We commend Tom Curry for his leadership and note the FFIEC’s recommendation 
from last month that all firms consider participating in the FS-ISAC. Treasury sup- 
ports firms’ consideration of participation in such information-sharing organizations. 
The FS-ISAC has seen a tremendous surge in membership over the last year. Af- 
firmative support by the financial regulators will support further growth of such im- 
portant institutions. 

In order to improve the speed of information sharing, and therefore its effective- 
ness, Treasury supports the FS-ISAC’s move towards automated information shar- 
ing through the adoption of Structured Threat Information expression (STIX) and 
Trusted Automated eXchange of Indicator Information (TAXII). These information- 
sharing protocols, on which DHS has been a leader, minimize the lag between dis- 
covered threats and deployed defenses. 

In order to ensure that the sector is receiving the best possible information from 
all Government sources. Treasury works closely with other agencies to identify and 
declassify information that may he of use to private-sector firms. To this end, I have 
established a team within my office, the Financial Services Cyber Intelligence Group 
(CIG), which works with interagency and private-sector partners to provide timely 
and actionable information, including threat indicators, to the financial services sec- 
tor. Treasury supports the efforts set forth under section 4 of EO 13636. DHS’s Na- 
tional Cybersecurity and Communications Integration Center deserves a special 
commendation for its continuing work in facilitating the efficient and beneficial ex- 
change of information between Government agencies and the private sector. 

Treasury also recognizes that Federal financial regulators have unique authorities 
and relationships with financial institutions. To capitalize on this. Treasury encour- 
ages efforts by the financial regulators to develop strategies for regulatory agencies 
to utilize unique relationships and authorities to improve information sharing and 
enhance situational awareness. 

Incident Management 

To improve incident management, Treasury believes that roles and responsibil- 
ities for different entities must be more clearly defined and regularly tested and re- 
fined. In order to best prepare for cybersecurity incidents, Government agencies and 
private-sector entities must work together to develop response protocols that clearly 
delineates roles and responsibilities. 

Within the financial sector, Treasury has worked closely to support the develop- 
ment of sectorwide response protocols, including the FS-ISAC’s all-hazards response 
plan and the FSSCC’s cyber-response framework. Additionally, protocols must be 
developed by individual private firms and coordinated across sectors. 

And these protocols must be integrated and regularly updated to maintain rel- 
evance and effectiveness. They must also take into account interconnections across 
sectors and be inclusive of all relevant critical infrastructure. 

Similarly, exercises are necessary to improve incident response plans and develop 
“muscle memory” in the organizations and with the personnel responsible for man- 
aging incident response. Treasury has partnered with DHS and the FSSCC to de- 
velop an exercise program focused on the financial services sector. The first joint 
exercise in this program was held yesterday. By continuing to hold these exercises, 
and smaller drills along the way, we can collectively hone our preparedness and con- 
tinuously improve our response mechanisms. 

Best Practices 

And finally, the Federal Government can play a unique role in working with in- 
dustry to support the use and development of standards, guidelines, and best prac- 
tices on cybersecurity, ensuring that these practices are up-to-date and enable tech- 
nical innovation. President Obama’s EO 13636 called for NIST to develop a frame- 
work that would reduce cyber-risks to critical infrastructure. Treasury has worked 
closely with the financial sector regarding how the sector could provide input into 
the Framework. Over the 12-month period from the issuance of the EO to the roll 
out of the Framework for Improving Critical Infrastructure Cybersecurity (NIST Cy- 
bersecurity Framework), the financial sector sent representatives to each of the five 
NIST workshops, met with NIST and Treasury to discuss sector specific consider- 
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ations, and provided comment letters on the draft document. Without this time com- 
mitment and sharing of knowledge by the financial sector and all of the members 
from other sectors, interested organizations and the public who devoted time to this 
subject, the NIST Cybersecurity Framework would not have been completed so suc- 
cessfully. 

As it exists today, the NIST Cybersecurity Framework, is a voluntary blueprint 
that firms of all sizes can use to evaluate, maintain, and improve the resiliency of 
their computer systems and reduce cyber-risk. Treasury continues to encourage fi- 
nancial services firms to utilize the Framework, including by holding business part- 
ners, suppliers, and customers accountable to its risk management approach. In par- 
ticular, efforts by SIFMA to develop auditable standards of the Framework may be 
beneficial in supporting broad adoption of best practices. 

Likewise, recent efforts by financial regulators to promote consistent adoption of 
best practices across the sector are encouraging. The SEC recently promoted the use 
of the NIST Cybersecurity Framework and other related NIST standards in the 
guidance to its final Regulation Systems Compliance and Integrity (Reg SCI). Such 
consistency is important to promoting shared understanding of cybersecurity risk 
management and broad adoption of best practices. 

Conclusion 

While significant progress has been made to improve financial sector cybersecu- 
rity, we know that there is more work to be done. We continue to hold ongoing dis- 
cussions with our Government and private-sector partners to identify and build a 
more secure and resilient financial sector. As these efforts progress, we will work 
with senior policymakers to determine the best courses of action to address the 
issues that are identified. 

I thank you for focusing on this issue and would be happy to take your questions. 
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Introduction 

Chairman Johnson, Ranking Member Crapo, and distinguished Members of the 
Committee, I am pleased to appear today to discuss the work of the Department 
of Homeland Security (DHS) National Protection and Programs Directorate (NPPD) 
to address persistent and emerging cyberthreats to the U.S. homeland. 

On February 12, 2013, the President signed Executive Order (EO) 13636, Improv- 
ing Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) 21, 
Critical Infrastructure Security and Resilience. These set out steps to strengthen the 
security and resilience of the Nation’s critical infrastructure. They reflect the in- 
creasing importance of integrating cybersecurity efforts with traditional critical in- 
frastructure protection. The President highlighted the importance of Government’s 
role in encouraging innovation and economic prosperity while promoting safety, se- 
curity, business confidentiality, privacy, and civil liberties. DHS partners closely 
with owners and operators to improve cybersecurity information sharing and en- 
courage implementation of risk-based standards in order to meet the President’s ob- 
jectives. 

In my testimony today, I would like to highlight how DHS helps secure cyber in- 
frastructure and then discuss a few specific examples where we prevented and re- 
sponded to a variety of cybersecurity challenges. 

DHS Cybersecurity Role 

Based on our statutory and policy requirements, DHS undertakes three broad 
areas of responsibility in cybersecurity: (1) we coordinate the national protection, 
prevention, mitigation, response and recovery in the event of significant cyber and 
communications incidents; (2) we disseminate domestic cyberthreat and vulner- 
ability analyses across critical infrastructure sectors; (3) we investigate cybercrime 
that falls under DHS’s jurisdiction. 

DHS components actively involved in cybersecurity include NPPD, the United 
States Secret Service, the U.S. Coast Guard, U.S. Customs and Border Protection, 
Immigration and Customs Enforcement, the DHS Office of the Chief Information Of- 
ficer, the DHS Science and Technology Directorate, and the DHS Office of Intel- 
ligence and Analysis (I&A), among others. In all of its activities, DHS coordinates 
its cybersecurity efforts with governmental, private sector, and international part- 
ners. 
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The DHS National Cybersecurity & Communications Integration Center (NCCIC) 
is a 24-7 cyber situational awareness and incident response and management cen- 
ter that serves as a centralized location for the coordination and integration of oper- 
ational elements involved in cybersecurity and communications reliability. NCCIC 
partners include all Federal departments and agencies; State, local, tribal, and terri- 
torial Governments (SLTT); the private sector; and international entities. The Cen- 
ter provides greater situational awareness of cybersecurity and communications, 
and takes actions to address vulnerabilities, intrusions, and incidents, including 
mitigation, information-sharing, and recovery. 

The NCCIC is composed of the United States Computer Emergency Readiness 
Team (U.S.-CERT), the Industrial Control System Cyber Emergency Response 
Team (ICS-CERT), the National Coordination Center for Communications (NCC), 
and an Operations and Integration Team. NCCIC operations are currently con- 
ducted from three States: Virginia, Idaho, and Florida. During the first 11 months 
of 2014, the NCCIC has had 108,734 incidents reported to the center, issued over 
11,514 actionable cyber alerts, and had over 219,805 partners subscribe to our 
cyberthreat warning sharing initiative. NCCIC teams have also detected over 87,797 
vulnerabilities and directly aided in the mitigation of near 53,624 unique challenges. 

Enhancing the Security of Cyber Infrastructure 

The NCCIC actively collaborates with public and private-sector partners every 
day, including responding to and mitigating the impacts of attempted disruptions 
to the Nations critical C3mer and communications networks. DHS also directly sup- 
ports Federal civilian departments and agencies in developing capabilities that will 
improve their own cybersecurity postures. Through the Continuous Diagnostics and 
Mitigation (CDM) program, led by the NPPD Federal Network Resilience Branch, 
DHS enables Federal agencies to more readily identify network security issues, in- 
cluding unauthorized and unmanaged hardware and software; known 
vulnerabilities; weak configuration settings; and potential insider attacks. Agencies 
can then prioritize mitigation of these issues based upon potential consequences or 
likelihood of exploitation by adversaries. The CDM program provides diagnostic sen- 
sors, tools, and dashboards that provide situational awareness to individual agencies 
and at a summary Federal level. Memoranda of Agreement between Government 
entities and DHS to provide the CDM program’s services encompass network secu- 
rity protection for over 97 percent of all Federal civilian personnel. 

The National Cybersecurity Protection System (NCPS) complements these efforts. 
A key component of NCPS is referred to as EINSTEIN, an integrated intrusion de- 
tection, analysis, information sharing, and intrusion-prevention system. EINSTEIN 
utilizes hardware, software, and other components to support DHS’s protection of 
Federal civilian agency networks. The program will expand intrusion prevention, in- 
formation sharing, and cyber analytic capabilities at Federal agencies. EINSTEIN 
3 Accelerated (E3A) gives DHS an active role in defending “.gov” network traffic. 
At this time, E3A provides Domain Name System and/or email protection services 
to 33 departments and agencies. It reduces threat vectors available to actors seeking 
to infiltrate, control, or harm Federal networks. 

Securing the Homeland Against Persistent and Emerging Cyberthreats 

Cyber intrusions into critical infrastructure and Government networks are serious 
and sophisticated threats. The complexity of emerging threat capabilities, the inex- 
tricable link between the physical and cyber domains, and the diversity of cyber ac- 
tors present challenges to DHS and our customers. As the private sector owns and 
operates over 85 percent of the Nation’s critical infrastructure, information sharing 
and capability development partnership becomes especially critical between the pub- 
lic and private sectors. 

Financial Sector Distributed Denial of Service (DDoS) Attacks 

The continued stability of the U.S. financial sector is often discussed as an area 
of concern, as U.S. banks are consistent targets of cyber attacks. There have been 
increasingly powerful DDoS incidents impacting leading U.S. banking institutions 
in 2012 and 2013 and some high-profile media coverage of financial sector cyberse- 
curity issues in 2014. U.S.-CERT has a distinct role in responding to a DDoS: to 
disseminate victim notifications to United States Federal Agencies, Critical Infra- 
structure Partners, International CERTs, and U.S. -based Internet Service Providers. 

U.S.-CERT has provided technical data and assistance, including identifying 
600,000 DDoS related IP addresses and supporting contextual information about the 
source of the attacks, the identity of the attacker, or other associated details. This 
information helps financial institutions and their information technology security 
service providers improve defensive capabilities. In addition to sharing with relevant 
private-sector entities, U.S.-CERT provided this information to over 120 inter- 
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national partners, many of whom contributed to our mitigation efforts. U.S.-CERT, 
along with the FBI and other interagency partners, also deployed to affected entities 
on-site technical assistance, or “boots on the ground.” U.S.-CERT works with Fed- 
eral civilian agencies to ensure that no USG systems are vulnerable to take-over 
as a part of a botnet, since botnets are a tool that cybercriminals use to deflect attri- 
bution in DDoS attacks. 

During these attacks, our I&A partners bolstered long-term, consistent threat en- 
gagements with the Department of Treasury and private-sector partners in the Fi- 
nancial Services Sector. I&A analysts presented sector-specific unclassified briefings 
on the relevant threat intelligence, including at the annual Financial Services Infor- 
mation Sharing and Analysis Center (FS-ISAC) conference, alongside the Office of 
the National Counterintelligence Executive and the U.S. Secret Service. At the re- 
quest of the Treasury and the Financial and Banking Information Infrastructure 
Committee (FBIIC), I&A analysts provided classified briefings on the malicious 
cyberthreat actors to cleared individuals and groups from several financial regu- 
lators, including the Federal Deposit Insurance Corporation (FDIC), Securities and 
Exchange Commission (SEC), and the Federal Reserve Board (FRB). Additionally 
our Science and Technology organization coordinates priority R&D programs in col- 
laboration with the Financial Services Sector Coordinating Council. 

Point of Sale Compromises 

On December 19, 2013, a major retailer publicly announced it had experienced un- 
authorized access to pa3Tnent card data from the retailer’s U.S. stores. The informa- 
tion involved in this incident included customer names, credit and debit card num- 
bers, and the cards’ expiration dates and card verification value security codes. The 
value security codes are three or four digit numbers that are usually on the back 
of the card. Separately, another retailer also reported a malware incident involving 
its Point of Sale (POS) system on January 11, 2014, that resulted in the apparent 
compromise of credit card and payment information. 

In response to this activity, NCCICAJ.S.-CERT analyzed the malware identified 
by the Secret Service as well as other relevant technical data and used those find- 
ings, in part, to create two information-sharing products. The first product, which 
is publicly available and can be found on U.S.-CERT’s Web site, provides a nontech- 
nical overview of risks to POS systems, along with recommendations for how busi- 
nesses and individuals can better protect themselves and mitigate their losses in the 
event an incident has already occurred. The second product provides more detailed 
technical analysis and mitigation recommendations, and has been securely shared 
with industry partners to enable their protection efforts. NCCIC’s goal is always to 
share information as broadly as possible, including by producing products tailored 
to specific audiences. 

These efforts ensured that actionable details associated with a major cyber inci- 
dent were shared with the private sector partners who needed the information in 
order to protect themselves and their customers quickly and accurately, while also 
providing individuals with practical recommendations for mitigating the risk associ- 
ated with the compromise of their personal information. NCCIC especially benefited 
from close coordination with the private-sector Financial Services Information Shar- 
ing and Analysis Center during this response. 

Preparing for the Next Cyber Ineident 

DHS is taking a number of proactive measures to strengthen its partnerships 
with the financial sector and increase shared understanding of one another’s capa- 
bilities and cybersecurity response plans and procedures. These efforts include regu- 
larly exercising incident response procedures together with interagency and private- 
sector representatives; working collaboratively with financial sector representatives 
to clarify and streamline processes when requesting technical assistance from the 
Government; identifying barriers to information sharing and ways to reduce those 
barriers; and implementing automated information sharing between the financial 
services sector and Government by expanding the use of Structured Threat Informa- 
tion expression (STIX) and Trusted Automated eXchange of Indicator Information 
(TAXII) programs, a free method for machine-to-machine sharing of cyberthreat in- 
dicators. 

Also of significant note is our vision and direction moving forward to create broad 
situational awareness of cyberthreats and disseminate warning information ahead 
of malicious attacks. We recognize the need to change the profit model in cybercrime 
by making networks more resilient and less appealing and rewarding for adversarial 
attack or intrusion. Just as the human body achieves resilience by fighting new vi- 
ruses with biological mechanisms that recognize when the body is under attack, 
DHS is enabling similar mechanisms for networks using mathematical trend anal- 
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ysis of cyber events. We collect the data needed for this from the Government agen- 
cies that we protect, with full collaboration from our privacy and civil liberties ex- 
perts, and are creating a cyber “Weather Map,” to help visualize and inform current 
cyber conditions. The concept comprises the ability to view the current state of cy- 
bersecurity, just as a traditional weather map provides a view of current weather. 
Our goal is for networks and connected devices to know when to reject incoming 
traffic or even refuse to execute specific computer instructions because they are rec- 
ognized as harmful due to their current behavior, even if the exact computer “dis- 
ease” has not been seen before. This will help to create that resilience to deter many 
cyberthreat actors. 

DHS also recognizes that effective incident response requires plenty of practice 
and close cooperation across Government and with the private sector. To prepare 
for and ensure effective cooperation during a significant event, DHS, in close coordi- 
nation with the Department of the Treasury, private-sector representatives, finan- 
cial sector regulatory bodies and other Federal Government partners, has instituted 
an exercise program to periodically test processes and procedures for responding to 
a significant cyber incident impacting the financial sector. The exercises help clarify 
roles and responsibilities, identify gaps in response plans and capabilities, and as- 
sist with developing plans to address those gaps. The exercises result in valuable 
lessons learned and will help improve existing processes and procedures and result 
in more effective cooperation during an actual incident. 

DHS Cybersecurity Authorities 

We continue to seek legislation that clarifies and strengthens DHS responsibilities 
and allows us to respond quickly to vulnerabilities like Heartbleed, a vulnerability 
in the popular Open SSL cryptographic software library. Legislative action is vital 
to ensuring the Department has the tools it needs to carry out its mission. DHS had 
to go “door to door” securing authorization from Federal entities to exercise our au- 
thority in responding to Heartbleed. We urge Congress to continue efforts to mod- 
ernize the Federal Information Security Management Act to reflect the existing 
DHS role in agencies’ Federal network information security policies; clarify existing 
operational responsibilities for DHS in cybersecurity by authorizing the NCCIC; and 
provide DHS with hiring and other workforce authorities. 

Conclusion 

DHS will continue to work with our public and private partners to create collabo- 
rative solutions to improve cybersecurity, particularly those that reduce the likeli- 
hood of the highest-consequence cybersecurity incidents. We work around the clock 
to ensure that the peace and security of the American way of life will not be inter- 
rupted by degradation of systems or by opportunist, enemy, or terrorist actors. Each 
incarnation of threat has some unique traits, and mitigation requires agility and 
layered security. Cybersecurity is a process of risk management in a time of con- 
strained resources, and we must ensure that our efforts achieve the highest level 
of security as efficiently as possible. 

DHS represents an integral piece of the national work in cybersecurity: we are 
building a foundation of voluntary partnerships with private owners of critical infra- 
structure and Government partners working together to safeguard stability. While 
securing cyberspace has been identified as a core DHS mission since the 2010 Quad- 
rennial Homeland Security Review, the Department’s view of cybersecurity has 
evolved to include a more holistic emphasis on critical infrastructure which takes 
into account risks across the board. 

The Department stands to be the core of integration and joint analysis, by ma- 
chines and by humans, of global cyber behavior, trends, malware analysis and the 
powerful combination of data that only we can correlate due to our unique role pro- 
tecting civilian Government systems with data that often only the private sector 
gathers. We are working to further enable the NCCIC to receive information at “ma- 
chine speed.” 1 This capability will begin to enable networks to be more self-healing, 
as they use mathematics and analytics to better recognize and block threats before 
they reach their targets, thus deflating the profit model of cyber adversaries and 
taking botnet response from hours to seconds in some cases. 

DHS forms a crucial underpinning for ensuring the ongoing protection of our in- 
frastructures, services and way of life. We look forward to continuing the conversa- 
tion and continuing to serve the American goals of peace and stability, and we rely 
upon your continued support. 


1 Automatically sending and receiving cyber information as it is consumed and augmented 
based on current threat conditions, creating a process of automated learning that emulates a 
human immune system and gets smarter as it is exposed to new threats. 
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Chairman Johnson, Ranking Member Crapo, and Members of the Committee, 
thank you for the opportunity to appear before you today to discuss the important 
issue of cybersecurity, including our efforts to address cyberthreats and 
vulnerabilities and coordinate information sharing for the benefit of the banking in- 
dustry, regulatory community, and the financial system overall. There are few 
issues more important to the OCC and to our country’s economic and national secu- 
rity than the risks posed by cyber attacks. 

My name is Valerie Abend, and I serve as the OCC’s Senior Critical Infrastruc- 
ture Officer. In collaboration with the agency’s supervisory divisions, I lead the 
agency’s cybersecurity and resilience efforts for the national banks and Federal sav- 
ings institutions (referred to collectively as banks) that we supervise. I also cur- 
rently chair the Federal Financial Institutions Examination Council’s (FFIEC) Cy- 
bersecurity and Critical Infrastructure Working Group (CCIWG). I have more than 
20 years of private and public sector experience in the cybersecurity and critical in- 
frastructure fields. My testimony today will discuss the cybersecurity initiatives the 
OCC and the FFIEC have taken, the avenues in place to share cybersecurity infor- 
mation, and recommendations where legislation may be helpful to enhance informa- 
tion sharing among financial institutions. 

Background 

We live in a world of rapidly changing technology that impacts financial institu- 
tions both in terms of the products and services they offer and the risks that they 
face. We are long past the time when retail payments occur through face-to-face 
cash transactions or with paper checks. Instead, consumers increasingly use their 
cellphones to deposit checks, pay bills, and make purchases at the mall. For most 
consumers, electronic-based payment mechanisms and electronic banking are a rou- 
tine part of life, and they may not give much thought to what goes on behind the 
scenes to provide the speed, convenience, and security in our payment and settle- 
ment systems today. What they may not know is the vast amount of information 
technology that institutions necessarily rely upon to make this convenience possible. 
To continue to improve efficiency and offer new products and services, institutions 
are rapidly adopting new information technology. From connecting personal devices 
such as tablets and phones to their networks and launching new mobile banking 
applications, to using cloud computing, banks are adopting new technologies and es- 
tablishing new connections. Collectively, this dependence on technology and the data 
that financial institutions create along with the funds they maintain and transmit 
every day make financial institutions attractive targets for hackers. Unfortunately, 
new vulnerabilities in both hardware and software are identified daily, making it 
difficult to protect systems from cyber attacks. 

Furthermore, networks that serve the financial industry are global, which means 
hackers can target banks and other systems from almost anywhere in the world. 
Financial institutions today face threats from insiders and individuals acting alone, 
and from international networks of well-organized Nation-States, criminals, and so- 
called “hacktivists” who use cyber attacks to raise awareness and support for their 
political or social causes. 

As the risks evolve, financial institutions must continue to prepare for cyber at- 
tacks and how they will identify, mitigate, and respond to them — and regulators 
must take steps to ensure that they do so. 

OCC Supervisory Framework and Initiatives 

The OCC’s supervisory framework is built around four key elements. The first is 
the OCC’s ongoing monitoring and information sharing with other regulators. Gov- 
ernment agencies, and banks with respect to emerging threats and changes to the 
risk landscape. The second is the OCC’s development and continual refinement of 
standards and guidance that set forth supervisory expectations as to how banks and 
third-party service providers can best safeguard bank and bank customer informa- 
tion. The third key component is the agency’s communication of these supervisory 
expectations to examiners and bank management through training and other forms 
of communication. The final component of the framework is the implementation of 
policy through on-site examination of banks and critical third-party service pro- 
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viders to assess their compliance with our supervisory expectations to ensure that 
they are appropriately managing risks, and when necessary, directing them to take 
corrective action. Each of these elements is described below. 

Ongoing Monitoring, Assessment, and Information Sharing 

Ongoing monitoring and timely information sharing across the financial sector re- 
garding cybersecurity issues including threats, vulnerabilities and risk mitigation 
tactics, is a crucial component of our efforts. The OCC conveys risk management 
practices to banks, including strategies to identify, prevent, mitigate and respond 
to attacks. During and following a cyber attack, the OCC plays an important role 
in evaluating the impacts from the attack to determine if they pose a material risk 
to bank systems and bank customer information. At the same time, the OCC evalu- 
ates whether the institutions involved are taking appropriate and timely corrective 
action. 

We encourage banks and service providers to participate with regulators in fo- 
rums to learn about specific cyberthreats in a timely manner. For example, the OCC 
is a member of both the Financial and Banking Information Infrastructure Com- 
mittee (FBIIC) and the Financial Services Information Sharing and Analysis Center 
(FS-ISAC), which are among the financial sector’s public-private partnerships that 
provide information regarding cyberthreats and various means to improve the secu- 
rity and resilience of the financial sector. 

OCC examiners also maintain ongoing communication with the banks they super- 
vise. This includes information related to pervasive vulnerabilities and incidents 
that may cause significant disruption to systems, facilities, or business processes at 
the bank, its operating subsidiary or affiliate, or at a third-party service provider. 
Examiners monitor the bank’s response to incidents and to reports on threats and 
vulnerabilities and assess the level of impact and risk to customers, business oper- 
ations, as well as any systemwide or downstream effects. 

The OCC uses a number of mechanisms, based on the nature of the threat or vul- 
nerability and the immediacy of potential impact, to communicate information that 
may pose a material risk to the banks we supervise. This includes providing exam- 
iners with instructions and messages to use in contacting bank management on spe- 
cific wide-scale vulnerabilities and threats, the risks these may pose to the bank, 
and actions the bank should take to prevent, detect, and respond to a threat or vul- 
nerability. 

Supervisory Standards and Guidance 

The banking sector is highly regulated and has been subject to stringent informa- 
tion security requirements for decades. The OCC has the authority to require the 
banks we regulate and their service providers to protect their own systems and 
bank customer data and to require banks to take steps to identify, prevent, and 
mitigate identity theft. 

For example, following the 1999 enactment of the Gramm-Leach-Bliley Act, the 
OCC, in conjunction with the Federal Deposit Insurance Corporation (FDIC), the 
Board of Governors of the Federal Reserve System (FRB), and the National Credit 
Union Administration (NCUA), published enforceable information security guide- 
lines that set forth standards for administrative, technical, and physical safeguards 
that financial institutions must have to ensure the security and confidentiality of 
customer information. These interagency guidelines require banks to develop and 
implement formal information security programs that are tailored to a bank’s as- 
sessment of the risks it faces, including internal and external threats to customer 
information and any method used to access, collect, store, use, transmit, protect, or 
dispose of the information. Given the evolving threat and technology environment, 
the guidelines require a bank’s information security program to be dynamic — to con- 
tinually adapt to address new threats, changes in technolo^, and new business ar- 
rangements. Since banks often depend upon service providers to conduct critical 
banking activities, the guidelines also address how banks must manage the risks 
associated with their service providers. 

In addition, pursuant to section 114 of the FACT Act, the OCC, FRB, FDIC, 
NCUA, and the Federal Trade Commission, issued regulations in 2007 titled “Iden- 
tity Theft Red Flags and Address Discrepancies”. These rules require each financial 
institution and creditor to develop and implement a formal identity theft prevention 
program that includes policies and procedures for detecting, preventing, and miti- 
gating identity theft in connection with account openings and existing accounts. A 
bank’s program must include policies and procedures to identify, detect, and respond 
to relevant indicators of identity theft, and must be updated periodically to reflect 
changes in risks to customers and to the institution from identity theft. 
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Over the years, the OCC on its own, and through the FFIEC, also has published 
guidance and handbooks that make clear our expectations about acceptable risk 
management processes and procedures for safeguarding information and managing 
information technology (IT) risks. This guidance addresses broad subjects such as 
information security, business continuity planning, and outsourcing technology serv- 
ices. It also focuses on specific areas of risks, such as authentication of users in an 
Internet banking environment and effective software patch management. As noted 
below, this guidance is reviewed continually and updated to take into account evolv- 
ing risks. 

Examiner Training and Communicating Expectations 

All entry-level OCC examiners receive training on information technology risk 
management within their first 3 years of employment. In addition, the OCC has ex- 
aminers who specialize in IT. These examiners have specialized skills and experi- 
ence to focus on information security and other technology risks inherent in bank 
operations. To help these specialists maintain their skills and knowledge, the OCC 
has an advanced IT training program. This is further augmented through webinars, 
in-person meetings, and formal and informal networking groups. When the OCC 
issues new guidance or updates existing guidance, we incorporate it into our train- 
ing and develop communications so that our examiners can effectively implement 
these changes through the examination process. 

Additionally, the OCC has taken steps to raise awareness of banks about the risks 
posed by cyberthreats and vulnerabilities and to inform them of changes to super- 
visory expectations. This includes highlighting cybersecurity as an important oper- 
ational risk that banks must pay close attention to through our public Semi-Annual 
Risk Perspective reports, releasing bulletins to the industry on topics such as dis- 
tributed denial of service attacks, and hosting webinars, outreach meetings and 
roundtable discussions. 

On-Site Examinations 

As part of their ongoing supervision, OCC examiners assess the adequacy of the 
controls that protect customer information, and bank systems and information. The 
OCC and the other Federal banking regulators also conduct joint examinations of 
major technology service providers that provide critical services to the banking sec- 
tor. 

Due to the complexity of the largest national banks, the OCC has resident IT ex- 
aminers on-site who perform ongoing supervision of the banks’ IT policies, proce- 
dures, and practices. OCC examiners also perform on-site IT examinations at small- 
er banks every 12 to 18 months as part of their regular exam. Examiners also follow 
up on identified concerns or emerging cyber-risks during quarterly communications 
with the banks they supervise, or on a more frequent basis depending on the nature 
of the concern or risk. The OCC uses information from bank examinations to inform 
our policies, training, and exam procedures. For example, through our exams, the 
OCC identified increasing risks and the need for additional guidance for banks on 
how to manage the complex risks posed by critical third-party relationships. As a 
result, in 2013, the OCC updated its Third-Party Relationship Risk Management 
Guidance, which incorporates important expectations for banks to evaluate their 
third parties’ information security, incident response, and management of informa- 
tion systems, as well as the servicers’ ability to assess, monitor, and mitigate risks 
posed by its subcontractors. 

FFIEC Initiatives 

The Comptroller currently chairs the FFIEC, an interagency body comprised of 
the principals of the five Federal banking regulatory agencies — the OCC, the FRB, 
the FDIC, the NCUA, and the Consumer Financial Protection Bureau (CFPB) — and 
the FFIEC’s State Liaison Committee. The FFIEC is empowered to prescribe uni- 
form principles, standards, and report forms to promote uniformity in the super- 
vision of financial institutions. One of the Council’s top priorities is to strengthen 
institutions’ resilience to cyber attacks. Last year, the Comptroller called for — and 
the Council members concurred in — the creation of the CCIWG to enhance commu- 
nication among the FFIEC members and to build on existing efforts to strengthen 
the activities of other interagency and private-sector groups with respect to cyberse- 
curity. 

The CCIWG serves as a liaison between the members of the FFIEC and the intel- 
ligence community, law enforcement, and the Department of Homeland Security 
(DHS) on issues related to cybersecurity and the protection of critical infrastructure. 
The working group is empowered to help the FFIEC members collaborate in estab- 
lishing cyber-related examination policy, developing training programs, coordinating 
responses to cybersecurity incidents, and managing information-sharing efforts. 
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The working group has been quite active since its inception. Through its coordina- 
tion and information sharing with intelligence, law enforcement, DHS, and the De- 
partment of the Treasury, the group has drafted several statements to institutions 
advising firms about the threats posed by ATM cashout schemes, distributed denial 
of service attacks, and widespread vulnerabilities such as Heartbleed and Shell- 
shock. 

One major initiative that the working group launched this summer was the Cy- 
bersecurity Assessment, which involved the pilot of a new cybersecurity examination 
work program at more than 500 diverse community institutions supervised by the 
OCC, FRB, FDIC, NCUA, and State re^latory agencies. The Cybersecurity Assess- 
ment evaluated the complexity of each institution’s operating environment, focusing 
on such factors as the types of connections employed, products and services offered, 
and technologies used. It also assessed each institution’s overall cybersecurity pre- 
paredness, with a focus on the following key areas: Risk Management and Over- 
sight, Threat Intelligence and Collaboration, Cybersecurity Controls, External De- 
pendency Management, and Cyber Incident Management and Resilience. The re- 
sults of the assessment are instructive and will help FFIEC members make in- 
formed decisions about how they identify and prioritize actions to enhance the effec- 
tiveness of cybersecurity-related supervisory programs, guidance, and examiner 
training. 

Preliminary findings that members agreed would be beneficial to share with insti- 
tutions were released as General Observations and are available on the FFIEC’s 
Web site. ^ This document highlights some high-level observations and provides 
questions that boards of directors and chief executive officers (CEOs) of financial in- 
stitutions should consider when assessing their cybersecurity preparedness. For ex- 
ample, the document encourages institutions to routinely discuss cybersecurity 
issues in board and senior management meetings to help the financial institution 
set the tone from the top and build a strong security culture. It also encourages in- 
stitutions to clearly define roles and responsibilities and assign accountability to 
identify, assess, and manage cybersecurity risks across the financial institution. 
While the institutions’ leadership is responsible for cybersecurity risk management, 
employees are typically the first line of defense. As such, the FFIEC also encourages 
institutions to keep their training programs current and provide them more fre- 
quently. 

Additionally, the document emphasizes that management should monitor and 
maintain sufficient awareness of cybersecurity threats and vulnerabilities to help 
ensure that financial institutions can evaluate and respond to emerging risks. To 
help build this capability, the FFIEC on behalf of its members issued the statement 
recommending that institutions of all sizes participate in the FS-ISAC to better un- 
derstand the risks posed to their institution and to support their risk management 
program. 

Institutions in the pilot assessment implement controls to impede unauthorized 
access to their systems and have tools in place to detect previously identified at- 
tacks. The General Observations document stresses that institutions should review 
and adjust controls when making changes to their IT environment, routinely scan 
networks for vulnerabilities and anomalous activity, test systems for potential expo- 
sure to cyber attacks, and remediate issues when identified. Similarly, the document 
highlights the importance of identifying the connections an institution has with 
third-party service providers and ensuring formal controls are in place to secure the 
ways these providers transmit, access, and store data. 

Finally, while we found that institutions have procedures for notifying customers, 
regulators, and law enforcement when incidents affect sensitive customer informa- 
tion, the document emphasizes that institutions should strengthen their ability to 
address breaches that may occur by establishing and routinely testing incident re- 
sponse plans throughout the institution. This would include incorporating cyber at- 
tack scenarios into business continuity plans and programs. 

In addition to the Cybersecurity Assessment, the CCIWG has made strides in in- 
creasing financial institutions and examiners’ awareness of cyberthreats and 
vulnerabilities and the actions that management can take to mitigate these risks. 
During the past year, the working group led a webinar, “Executive Leadership of 
Cybersecurity” for which over 5,000 community institution CEOs registered, and 
conducted Web-based trainings for over a thousand examiners on cybersecurity 
issues. Last month, concurrent with the release of the General Observations docu- 
ment, the FFIEC, on behalf of its members, released the Cybersecurity Threat and 


^The FFIEC Cybersecurity Assessment, General Observations document can be accessed at 
http: I j www.ffiec.gov / press /PDF /FFIEC Cybersecurity Assessment Observations.pdf. 
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Vulnerability Monitoring and Sharing Statement. ^ The statement reiterated mem- 
bers’ expectations that management monitor and maintain sufficient awareness of 
cybersecurity threat and vulnerability information in order to evaluate risk and re- 
spond accordingly. In addition, it reinforced the need for all institutions and their 
critical technology service providers to have appropriate methods for monitoring, 
sharing, and responding to threat and vulnerability information. In addition to rec- 
ommending institutions to join FS-ISAC, the statement also listed additional Gov- 
ernment resources that are able to assist financial institutions with identifying and 
responding to cyber attacks. 

Cross Sector Cybersecurity Dependencies and Information Sharing 

As noted earlier, ensuring appropriate information sharing is an essential compo- 
nent of the OCC’s cybersecurity efforts. The OCC uses information-sharing forums, 
relationships with Government agencies, and the supervision process to acquire in- 
formation on potential and confirmed cyberthreats and attacks. 

As a member of the FS-ISAC and through our work with the Treasury Depart- 
ment, we receive significant alerts that provide information related to cyberthreats, 
attacks, and vulnerabilities. We also recognize the importance of maintaining rela- 
tionships with the law enforcement and intelligence communities to share informa- 
tion and keep lines of communication open. The OCC is an active member of the 
FBIIC, created to improve coordination and communications among a broad array 
of financial regulators, and chaired by the Treasury Department. These efforts in- 
clude monthly staff-level meetings and periodic meetings with agency principals. In 
addition, we attend classified briefings for FBIIC and support the collaborative ini- 
tiatives of this sectorwide partnership. 

The Financial Stability Oversight Council (FSOC) also provides a mechanism to 
promote collaborative efforts on a range of issues, including cybersecurity issues, 
and has set forth specific recommendations to advance cybersecurity efforts. The 
creation of the CCIWG, and some of its activities are directly responsive to the 
FSOC’s recommendations. In its 2014 annual report, FSOC recommended that the 
Treasury Department continue to work with regulators, other appropriate Govern- 
ment agencies, and private-sector financial entities to develop the ability to leverage 
insights from across the Government and other sources to inform oversight of the 
financial sector and to assist institutions, market utilities, and service providers 
that may be targeted by cyber attacks. Tbe FFIEC’s aforementioned issuances are 
prime examples of responses to these recommendations. The FSOC also rec- 
ommended that financial regulators continue their efforts to assess cyber-related 
vulnerabilities facing their regulated entities, identify gaps in oversight that may 
need to be addressed, and inform and raise awareness of cyberthreats and attacks. 
As discussed earlier, the FFIEC’s Cybersecurity Assessment responds to these rec- 
ommendations. 

The OCC and other banking agencies have a robust process for issuing standards 
and guidance and supervising the financial sector through our examinations. How- 
ever, the resiliency of the financial sector is also dependent on other critical sectors, 
including the telecommunications and energy sectors, which do not operate under 
a comprehensive supervisory regime like financial institutions. The OCC strongly 
supports efforts to ensure other sectors have commensurate standards and improved 
transparency as it relates to the cybersecurity preparedness for these other sectors. 
In addition, the financial services industry and retailers have interdependencies. We 
have seen a number of attacks on large retailers in which credit card and other in- 
formation from millions of consumers was compromised. In response, financial insti- 
tutions compensate customers for fraudulent charges and replace credit and debit 
cards, and monitor account activity for fraud at significant cost. This is not easy for 
any bank, but the burden falls especially heavily upon community institutions. At 
a cost of $5 or more per card plus fraud related charges, the costs can escalate 
quickly. We would support efforts to even the playing field between banks and mer- 
chants to ensure that both contribute to efforts to make affected consumers whole. 

The Treasury Department, as our Sector Specific Agency, has been leading efforts 
to work more closely with the Government agencies responsible for overseeing these 
other sectors. The OCC supports these efforts and hopes they lead to more in-depth 
interactions between the financial sector and other sectors with which it closely 
interacts. For our part, the OCC is a member of a newly formed Cybersecurity 
Forum for Independent and Executive Branch Agencies. The Forum’s objectives are 
to enhance communication, identify lessons learned, and develop a common under- 


2 The FFIEC Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement can 
be accessed at http:! I www.ffiec.gov ! press ! PDF ! FFIEC Cybersecurity Statement.pdf. 
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standing of cybersecurity activities through the sharing of best practices and explor- 
ing approaches to enhance cybersecurity protections. 

Recommendations for Congressional Consideration 

As we work to safeguard our financial system, we note some areas where Congres- 
sional action is necessary to provide parity among the parties impacted in cyher 
breaches that adversely affect consumers and to facilitate additional information 
sharing within the banking industry. 

Parity for Retailers 

The recent breaches at large retailers highlight the need for improved cybersecu- 
rity for merchants. Enhanced cybersecurity should apply to all industries where cus- 
tomer information is at risk. There should be consistent protections across all indus- 
tries for securing financial transactions, customer information, and systems. Fur- 
ther, these protections should include appropriate responses to breaches when they 
do occur. As mentioned previously, when breaches occur in merchant systems, mer- 
chants should contribute to efforts to make affected consumers whole. 

Industry Information Sharing 

The OCC believes the existing statutory framework could be improved to encour- 
age information sharing about cyber attacks among institutions. We believe that 
amending the USA PATRIOT Act by creating a safe harbor to facilitate and promote 
the timely sharing of information among financial institutions concerning cybersecu- 
rity threats, cyber attacks, and data breaches would create incentives for enhanced 
information sharing, which would result in increased awareness of potential threats 
within the banking industry. 

Other Legislative Proposals 

The OCC has reviewed a number of legislative proposals that are pending in Con- 
gress to promote and facilitate information sharing concerning cyherthreats and at- 
tacks among Government agencies. The OCC generally supports such legislative ini- 
tiatives. However, in the case of cyberthreat information involving hanks, the bills 
we have reviewed do not require or encourage the DHS, the Department of Justice, 
or other Government agencies to share this information with the appropriate Fed- 
eral hanking agency. The Federal banking agencies need cyberthreat information in- 
volving banks to ensure the safety and soundness of hoth individual banks and the 
broader financial system. Accordingly, we believe that legislative proposals designed 
to improve and promote cyberthreat information sharing among Government agen- 
cies should require other Government agencies to share information related to 
banks with the Federal banking agencies. 

In addition, most legislative proposals designed to promote and facilitate 
cyberthreat information sharing provide that the information shared may not be 
used for regulatory purposes. This provision could impede our ability to issue cyber- 
security guidance or regulations, or to take action to correct deficiencies in cyberse- 
curity risk management. 

Conclusion 

We have high expectations for our supervised entities in the area of cybersecurity. 
Financial institutions of all types and sizes must remain vigilant to protect against 
and mitigate cyber breaches, and we at the OCC will continue to support banks in 
this effort. To ensure we stay on top of the evolving threats to the financial services 
industry, the OCC is committed to refining our supervisory processes on an ongoing 
basis and to participating in public-private partnerships to help keep abreast of and 
respond to emerging threats. 

The Comptroller has emphasized the importance of communication, collaboration, 
and cooperation in all aspects of our mission. Nowhere is such communication and 
collaboration more important than in the realm of cybersecurity, where the threat 
transcends agency jurisdictions and industry boundaries. Combatting cyberthreats 
and protecting our economic security requires the Government and industry to work 
together for the good of consumers, the industry, and the entire financial services 
sector. 
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Deputy Special Agent in Charge, Cyber Operations Branch, Criminal 
Investigative Division, Secret Service 

December 10, 2014 

Good morning Chairman Johnson, Ranking Member Crapo, and distinguished 
Members of the Committee. Thank you for the opportunity to testify on the ongoing 
challenge of cybercrime impacting our Nation’s financial system. The U.S. Secret 
Service (Secret Service) has decades of experience investigating large-scale criminal 
cyber intrusions, in addition to other crimes that impact our Nation’s financial pay- 
ment systems. Based on this investigative experience, I hope to provide this Com- 
mittee insight into the continued trend of transnational cybercriminals targeting our 
Nation’s financial system for their illicit gain. 

The Role of the Secret Service 

The Secret Service was founded in 1865 to protect the U.S. financial system from 
the counterfeiting of our national currency. As the Nation’s financial system evolved 
from paper to plastic to electronic transactions, so too has the Secret Service’s inves- 
tigative mission. Today, our modern financial system depends heavily on informa- 
tion technology for convenience and efficiency. Accordingly, criminals have adapted 
their methods and are increasingly using cyberspace to exploit our Nation’s financial 
payment system by engaging in fraud and other illicit activities. This is not a new 
trend; criminals have been committing cyber enabled financial crimes since at least 
1970. 1 

Congress established 18 U.S.C. §§1029-1030 as part of the Comprehensive Crime 
Control Act of 1984 ^ and explicitly assigned the Secret Service authority to inves- 
tigate these criminal violations. ^ These statutes first established as specific Federal 
crimes unauthorized access to computers^ and the fraudulent use, or trafficking of, 
access devices® — defined as any piece of information or tangible item that is a 
means of account access that can be used to obtain money, goods, services, or other 
thing of value. ® 

Secret Service investigations have resulted in the arrest and successful prosecu- 
tion of cybercriminals involved in the largest known data breaches, including those 
of TJ Meixx, Dave and Buster’s, Heartland Payment Systems, and others. Over the 
past 5 years Secret Service cybercrime investigations have resulted in over 5,940 ar- 
rests, associated with approximately $1.53 billion in fraud losses and the prevention 
of over $11.71 billion in potential fraud losses. Through our work with our partners 
at the U.S. Department of Justice (DOJ), in particular local U.S. Attorney’s Offices, 
the Computer Crime and Intellectual Property Section (CCIPS), the International 
Organized Crime Intelligence and Operations Center (IOC-2), the Federal Bureau 
of Investigations (FBI) and others, we will continue to bring major cybercriminals 
to justice. 

The Transnational Cybercrime Threat 

Advances in computer technology and greater access to personally identifiable in- 
formation (PH) via the Internet have created online marketplaces for transnational 
cybercriminals to share stolen information and criminal methodologies. As a result, 
the Secret Service has observed a marked increase in the quality, quantity, and 
complexity of cybercrimes targeting private industry and critical infrastructure. 
These crimes include network intrusions, hacking attacks, malicious software, and 
account takeovers leading to significant data breaches affecting every sector of the 
world economy. The recently reported payment card data breaches are examples of 
the decade-long trend of major data breaches perpetrated by transnational 
cybercriminals who are intent on targeting our Nation’s financial payment system 
for their illicit gain. 

The growing collaboration amongst cybercriminals allows them to compartmen- 
talize their operations, greatly increasing the sophistication of their criminal en- 


I Beginning in 1970, and over the course of 3 years, the chief teller at the Park Avenue 
branch of New York’s Union Dime Savings Bank manipulated the account information on the 
bank’s computer system to embezzle over $1.5 million from hundreds of customer accounts. This 
early example of cybercrime not only illustrates the long history of cybercrime, but the difficulty 
companies have in identifying and stopping cybercriminals in a timely manner — a trend that 
continues today. 

2Pub. L. 98-473, §§1602(a) and 2102(a), 98 Stat. 1837, 2183 and 2190. 

3 18 U.S.C. §§1029(d) and 1030(d)(1). 

“18 U.S.C. §1030. 

S18 U.S.C. §1029. 

6 18 U.S.C. §1029(e)(l). 



40 


deavors as they develop expert specialization. These specialties raise both the com- 
plexity of investigating these cases, as well as the level of potential harm to compa- 
nies and individuals. For example, illicit underground cybercrime marketplaces 
allow criminals to buy, sell, and trade malicious software, access to sensitive net- 
works, spamming services, payment card data, PII, bank account information, bro- 
kerage account information, hacking services, and counterfeit identity documents. 
These illicit digital marketplaces vary in size, with some of the more popular sites 
boasting membership of approximately 80,000 users. These digital marketplaces 
often use various digital currencies, and cybercriminals have made extensive use of 
digital currencies to pay for criminal goods and services or launder illicit proceeds. 

Secret Service Strategy for Combating This Threat 

The Secret Service proactively investigates cybercrime using a variety of inves- 
tigative means to infiltrate these transnational cybercriminal groups. As a result of 
these proactive investigations, the Secret Service is often the first to learn of 
planned or ongoing data breaches and is quick to notify financial institutions and 
the victim companies with actionable information to mitigate the damage from the 
data breach and terminate the criminal’s unauthorized access to their networks. 
One of the most poorly understood facts regarding data breaches is that it is rarely 
the victim company that first discovers the criminal’s unauthorized access to their 
network; rather it is law enforcement, financial institutions, or other third parties 
that identify and notify the likely victim company of the data breach. 

A trusted relationship with the victim is essential for confirming the crime, reme- 
diating the situation, beginning a criminal investigation, and collecting evidence. 
The Secret Service’s growing global network of 37 Electronic Crimes Task Forces 
(ECTF), located within our field offices, are essential for building and maintaining 
these trusted relationships, along with the Secret Service’s commitment to pro- 
tecting victim privacy. The Secret Service routinely discovers data breaches through 
our proactive investigations and notifies victim companies with actionable informa- 
tion. For example, as a result of information discovered this year through just one 
of our ongoing cybercrime investigations, the Secret Service notified hundreds of 
U.S. entities of cybercriminal activity targeting their organizations. Additionally, as 
the Secret Service investigates cybercrime, we discover current criminal methods 
and share this cybersecurity information broadly to enable other organizations to se- 
cure their networks. The Secret Service does this through contributing to leading 
industry annual reports such as the Verizon Data Breach Investigations Report and 
the Trustwave Global Security Report, and through more immediate reports, includ- 
ing joint Malware Initial Findings Reports (MIFRs). 

This year, UPS Stores Inc. used information published in a joint report by the Se- 
cret Service, National Cybersecurity and Communications Integration Center, 
United States Computer Emergency Readiness Team (NCCIC/U.S.-CERT), and the 
Financial Services Information Sharing and Analysis Center (FS-ISAC) on the 
Back-Off malware to protect itself and its customers from cybercriminal activity. ^ 
The information in this report was derived from a Secret Service investigation of 
a network intrusion at a small retailer in Syracuse, New York. The Secret Service 
publicly shared actionable cybersecurity information derived from this investigation 
to help numerous other organizations while still safeguarding sensitive information. 
As a result, UPS Stores, Inc. was able to identify 51 stores in 24 States that had 
been impacted, and then were able to contain and mitigate this cyber incident be- 
fore it developed into a major data breach. ® 

As we share cybersecurity information discovered in the course of our criminal in- 
vestigation, we also continue our investigation in order to apprehend and bring to 
justice those involved. Due to the inherent challenges in investigating transnational 
crime, particularly the lack of cooperation of some countries with law enforcement 
investigations, it can take years to finally apprehend the top tier criminals respon- 
sible. For example, even after a 2011 indictment. Secret Service agents were not 
able to arrest Roman Seleznev of Vladivostok, Russia, in an international law en- 
forcement operation until just recently. Mr. Seleznev has been charged in Seattle 
in a 40-count superseding indictment for allegedly being involved in the theft and 
sale of financial information of millions of customers. Seleznev is also charged in 
a separate indictment with participating in a racketeer influenced corrupt organiza- 
tion (RICO) and conspiracy related to possession of counterfeit and unauthorized ac- 


'^See http:! I www.us-cert.gov I security-publications I Backoff-Point-Sale-Malware. 

®See UPS Store’s press release available at http: ! I www.theupsstore.coml about I media-room ! 
Pages I The-ups-store-notifies-customers.aspx. 
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cess devices. ® This investigation was lead by the Secret Service’s Seattle Electronic 
Crimes Task Force. 

In another case, the Secret Service, as part of a joint investigation with U.S. Im- 
migration and Customs Enforcement’s Homeland Security Investigations (HSI) and 
the Global Illicit Financial Team, hosted by IRS-Criminal Investigations, shut down 
the digital currency provider Liberty Reserve, which was allegedly widely used by 
criminals worldwide to store, transfer, and launder the proceeds of a variety of illicit 
activities. Liberty Reserve had more than one million users, who conducted approxi- 
mately 55 million transactions through its system totaling more than $6 billion in 
funds. The alleged founder of Liberty Reserve, Arthur Budovsky, was recently extra- 
dited from Spain to the United States. Mr. Budovsky is among seven individuals 
charged in the indictment. Four codefendants — Vladimir Kats, Azzeddine el Amine, 
Mark Marmilev, and Maxim Chukharev — have pleaded guilty and await sentencing. 
Charges against Liberty Reserve and two individual defendants, who have not been 
apprehended, remain pending. This investigation was lead by the Secret Service’s 
New York Electronic Crimes Task Force. 

Legislative Action To Combat Data Breaches 

While there is no single solution to prevent data breaches of U.S. customer infor- 
mation, legislative action could help to improve the Nation’s cybersecurity, reduce 
regulatory costs on U.S. companies, and strengthen law enforcement’s ability to con- 
duct effective investigations. The Administration has proposed various pieces of cy- 
bersecurity legislation, including law enforcement provisions related to computer se- 
curity, and continues to urge Congress to pass legislation that will strengthen Gov- 
ernment and private-sector cybersecurity capabilities. In particular, we urge Con- 
gress to act on legislation that will allow us to keep pace with the rapidly evolving 
threats of cybercrime. 

Conclusion 

The Secret Service is committed to continuing to safeguard the Nation’s financial 
payment systems by defeating cybercriminal organizations. Responding to the 
growth in these types of crimes, and the level of sophistication these criminals em- 
ploy, requires significant resources and substantial collaboration among law enforce- 
ment and its public and private-sector partners. Accordingly, the Secret Service 
dedicates significant resources to improving investigative techniques, providing 
training for law enforcement partners, and sharing information on cyberthreats. The 
Secret Service will continue to coordinate and collaborate with other Government 
agencies and the private sector as we develop new methods to combating 
cybercrime. Thank you for your continued commitment to protecting our Nation’s fi- 
nancial system from cybercrime. 


PREPARED STATEMENT OF JOSEPH M. DEMAREST, JR. 

Assistant Director, Cyber Division, Federal Bureau of Investigation, 
Department of Justice 

December 10, 2014 

Good morning Chairman Johnson, Ranking Member Crapo, and the distinguished 
Members of this Committee. I am honored to appear before you today to discuss the 
cyberthreats facing our Nation, their relation to the financial sector, and the efforts 
the FBI is taking to identify, pursue, and defeat those threats. 

In the course of my brief testimony, I hope to give you a sense of the extent to 
which today’s cyber actors pose new and increasingly complex threats to our country 
and to the financial sector — a threat that challenges the traditional models of the 
law enforcement and intelligence communities, where threat actors were previously 
confined by time, distance, and physical location. Instead, today’s cyber actors, from 
Nation-States to criminal groups and individuals, find themselves virtually unre- 
stricted in their targets sets and their ambitions, launching attacks from all over 
the world at literally the speed of light. Today, I hope to convey the many ways that 
we at the FBI are doing everything in our power to protect tbe Nation, and the fi- 
nancial sector in particular, from these threats. 

Cyberthreats Against the Finaneial Sector: Trends and Implications 

Before describing the current cyberthreatscape, I’d like to give a brief overview 
of the FBI Cyber Division, our mission, and how we target the cyber adversaries 


^ See http:! I www.justice.gov / usao/waw (press 120141 October j seleznev.html. 
i^^This proposal is available at: httpil ! www.whitehouse.gov I omh t legislative lettersi . 
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that threaten this country on a daily basis. In general, the FBI’s mission falls into 
three separate buckets: first, we identify the cyber actors perpetrating harm. In the 
world of cybercrime and cyber espionage, this is often the most difficult step, as 
cyberthreats may hide in plain sight, using various methods to obfuscate their pres- 
ence, location, and activities. Second, we pursue these actors, tracking their activity 
both online and off. To this end, we utilize collaborative partnerships across the 
Federal Government, with international partners and with industry, along with our 
unique combination of national security and law enforcement authorities, to gather 
intelligence about the tactics, techniques and procedures of these actors. In short, 
we find these threat actors and we watch them, gathering intelligence and under- 
standing the motives and the conduct of our adversaries. Lastly, with the aid of 
partnerships and our unique authorities, we defeat cyber adversaries through a full 
range of methods, including — most importantly, arresting and prosecuting those re- 
sponsible. The FBI focuses foremost on intelligence led, threat-focused cyber oper- 
ations which our personnel, analysts, computer scientists, and agents in the field 
help us achieve every day. 

As the Members of this Committee are aware, the range of actors who threaten 
our interests is as complex as it is varied. We face cyber terrorists, who aim to use 
our reliance upon and use of digital systems to advance their political or ideological 
goals. We face Nation-States, who aim to use the cyber world to conduct espionage, 
to make preparations for war, and who may even carry out acts of war through 
cyber means. We face ideology-driven criminals, who may use methods such as de- 
nial of service attacks, known as “DDoS” attacks, to further their own ideology or 
social cause. We face insider threats, whose legitimate access to sensitive informa- 
tion may be used for various illicit ends. Lastly, we face financially motivated 
groups and individuals, who use a range of methods to enrich themselves at others’ 
expense — and it is this group that I will focus upon most specifically today, though 
each and every group I just listed may, at times, view the financial sector as a 
prime target. 

As the Members of the Committee are also aware, the threat from cyber actors — 
specifically cybercriminals — continues to garner an increasing share of the media 
spotlight and continues to advance in sophistication. Recent high-profile attacks, 
such as those on eBay, Sony, JPMorgan Chase, and others, highlight vulnerabilities 
in some of our Nation’s largest companies. Regarding the threats to the financial 
sector in particular, such threats range in complexity, and we continue to work 
closely with the Secret Service, DHS, and other partners across the Government. 
Point of sale thefts, also known as “PGS” scams, for example, are not new, but con- 
tinue to pose serious threats to the financial services industry. According to 
Verizon’s 2014 Data Breach Investigations Report, the physical installation of a 
“skimmer” on an ATM, gas pump, or POS terminal to read credit card data has tar- 
geted ATMs with an overwhelming specificity — 87 percent of skimming attacks in 
2013, for example, were on ATMs. Retail POS scams, where attackers compromise 
the computers and servers that run POS applications with the intention of cap- 
turing payment data, comprise an additional level of sophistication, and can take 
weeks or even months to be discovered, little less mitigated. The high-profile attack 
on Target provides one of the more sophisticated examples of retail POS scams, in 
which, according to open source reporting, 40 million credit card numbers and an- 
other 70 million customer records were stolen. Such attacks are not unique to Tar- 
get — additional data breaches have been reported at Neiman Marcus, Michaels, and 
P.F. Chang’s, among many others. 

Vulnerabilities in mobile banking pose another new and highly sophisticated dan- 
ger, as mobile banking vulnerabilities may exist on mobile devices that are not 
patched, and malware can be developed to specifically target the use of mobile de- 
vices. One example of this type of vulnerability is the Zeus-in-the-Middle malware, 
a mobile version of the GameOver Zeus malware, which itself was one of the most 
sophisticated types of malware the FBI ever attempted to disrupt. GameOver Zeus 
was designed to steel banking credentials that criminals could then use to initiate 
or redirect wire transfers to overseas bank accounts. All told, the malware infected 
over 1 million computers worldwide and caused over $100 million in estimated 
losses. Zeus-in-the-Middle has not caused the same level of damage or losses as 
GameOver Zeus, but its ve^ existence illustrates the risk posed to mobile plat- 
forms, where devices can be infected by malicious apps or via spear phishing emails, 
and which can then enable cybercriminals to utilize the banking credentials of tar- 
geted users on a grand scale. Current open source reporting suggests that Android 
OS devices remain a prime target for mobile malware — according to the 2014 Cisco 
Annual Security Report, for example, 99 percent of mobile malware in 2013 targeted 
the Android platform. 
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Botnets, which can harness the power of an enormous web of computers for mali- 
cious purposes, continue to evolve as well. As I speak, estimates place the total dam- 
ages caused by botnets at more than $9 billion in losses to U.S. victims and over 
$110 billion in losses worldwide. Approximately 500 million computers are infected 
globally per year — translating to 18 victims per second. As botnets become more so- 
phisticated, our techniques must evolve to keep pace. The FBI and our partners may 
take down one botnet, for example, but coders may alter code and rebuild their bots 
in fairly short order. The power and scale of botnets is particularly worth noting, 
as botnets have been used to attack the financial sector through DDoS attacks, and 
the FBI has been deeply involved in preventing such attacks and in keeping such 
attacks from inflicting lasting damage. Beginning in September 2012, for example, 
actors launched powerful DDoS attacks from a botnet, combining the bandwidth of 
numerous web servers to target major U.S. banking institutions. The FBI worked 
closely with Department of Homeland Security (DHS) to issue Joint Indicator Bul- 
letins (JIBs) to the U.S. banks, which included thousands of IP addresses that par- 
ticipated in the attacks. The U.S. banks used the IP addresses to better mitigate 
future incidents, thus helping to ensure their business operations could proceed with 
less interruption of service to their customers. The JIBs helped reduce the resources 
available for the threat actors to carry out future DDoS operations and dem- 
onstrated the effectiveness of FBI outreach to industry. Throughout this campaign, 
the FBI held significant outreach efforts to brief bank net-defenders through a se- 
ries of classified briefs. These briefs, conducted by FBI, DHS, and Treasury rep- 
resentatives, provided bank security personnel the context of the DDoS threat and 
enabled the banks to share best-practices with their peers in real time. 

From March 2013 to July 2014, the FBI provided approximately 36 classified 
threat briefings regarding the DDoS attacks to private-sector financial institutions 
and governmental agencies, including DHS, Department of Treasury, the Federal 
Deposit Insurance Corporation, and the Federal Reserve System. The initial classi- 
fied briefing, held on March 19, 2013, was attended by over 300 chief information 
security officers via secure video teleconference from 33 FBI field offices. This type 
of outreach is far from irregular — based on imminent threats to the financial sector 
in early 2014, the FBI provided classified threat briefings in March, April, and July 
2014 to a total of 145 financial institutions. 

We at the FBI, in short, are doing everything in our power to keep pace with the 
evolving threat against the financial sector. We further our law enforcement mission 
when we collaborate within the Government and across the private sector to pros- 
ecute and protect our Nation and industries from the devastating consequences of 
cyber attacks. 

Coordination and Information Sharing Across the Government 

The FBI and our partners throughout the Government have all made significant 
progress in recent years in collaborating within the cyber domain — and our progress 
hasn’t just been limited domestically, but has occurred at international levels as 
well. A decade ago, for example, if an FBI agent tracked an Internet Protocol (IP) 
address to a criminal investigation, and if that IP address was located in a foreign 
country, this meant the effective end of the investigation. Since that time, however, 
the FBI has placed cyber specialists in key international locations to facilitate the 
investigation of cybercrimes affecting the U.S. Recognizing the value of cyber spe- 
cialists working with key international partners, the FBI Cyber Division stood up 
a team known as the Operational Coordination Unit’s Extraterritorial Operations 
group to focus on supporting, coordinating, and providing oversight of international 
cyber national security and criminal intrusion investigations One prime example of 
the importance of collaboration and coordination is the recent take down of Silk 
Road 2.0. Beginning in late December 2013, Blake Benthall, also known by the on- 
line handle “Defcon,” secretly owned and operated an underground Web site known 
as Silk Road 2.0 — one of the most extensive, sophisticated, and widely used criminal 
marketplaces ever created on the Internet. The Web site operated on the Tor net- 
work, a special network of computers distributed around the world and designed to 
conceal the IP addresses of the computers that access the network, thereby masking 
the identities of the network’s users. Silk Road 2.0 launched in November 2013 after 
its predecessor was shut down by law enforcement. Since its launch in 2013, Silk 
Road 2.0 has been used by thousands of illicit actors to distribute hundreds of kilo- 
grams of illegal drugs and other illegitimate goods and services to buyers through- 
out the world, as well as to launder millions of dollars generated by these unlawful 
transactions. As of September 2014, Silk Road 2.0 was generating sales of at least 
approximately $8 million per month and had approximately 150,000 active users. 
The very existence of Silk Road 2.0 highlights the core concern I’m here to address 
today: cybercriminals now operate far outside the traditional bounds that confined 
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criminals in past decades, selling banking credentials by the thousands and placing 
malware on the market for the purposes of DDoS attacks, to cite just two examples 
of illicit activities that target the financial sector. Whereas last century’s hank rob- 
bers used an automobile to steal from a handful of banks in a few States in one 
day — a novel development for the time — today’s bank robbers can use the Internet 
to steal money from thousands of banks across the world in a few hours, all without 
ever leaving their basement. 

Thanks to our coordinated efforts, however, criminal marketplaces like Silk Road 
2.0 cannot and will not last for long. The investigation into Silk Road 2.0 was con- 
ducted jointly by the FBI and the DHS’s Immigration and Customs Enforcement’s 
Homeland Security Investigations (ICE-HSI), illustrating the critical nature of co- 
operation and information sharing in today’s cyber investigations — no Government 
agency, no matter how competent its agents and experts, can operate successfully 
on its own. We capitalize on our distinct roles and responsibilities within the Gov- 
ernment to address and prevent cybercrime. Over the course of the investigation 
into Silk Road 2.0, an HSI agent acting in an undercover capacity successfully infil- 
trated the support staff involved in the administration of the Silk Road 2.0 Web site 
and was given access to private, restricted areas of the site reserved for Benthall 
and his administrative staff. By doing so, the HSI agent was able to interact directly 
with Benthall throughout his operation of the Web site. 

On November 7, 2014, the U.S. Government seized the Silk Road 2.0 Web site 
in the largest law enforcement action to date against criminal Web sites operating 
on the Tor network. Benthall was arrested and charged with one count of conspiring 
to commit narcotics trafficking (carrying a maximum sentence of life in prison and 
a mandatory minimum sentence of 10 years in prison), one count of conspiring to 
commit computer hacking (carrying a maximum sentence of 5 years in prison), one 
count of conspiring to traffic in fraudulent identification documents (carrying a max- 
imum sentence of 15 years in prison), and one count of money laundering conspiracy 
(carrying a maximum sentence of 20 years in prison). The investigation was a key 
success for the FBI, for ICE-HSI, and for the U.S. Government as a whole — and 
a key illustration of the importance of collaboration and cooperation. 

Another example of the importance of collaboration and cooperation, both inside 
and outside of Government, is the vital work the National Cyher Investigative Joint 
Task Force (NCIJTF) performs on a daily basis. Mandated by the President in 2008, 
the NCIJTF serves as national focal point for coordinating, integrating, and sharing 
pertinent information related to cyberthreat investigations among 19 Federal agen- 
cies. The FBI aims to strengthen and solidify the NCIJTF as the cybersecurity cen- 
ter for coordinating cyberthreat investigations and disruption operations. The 
NCIJTF involves senior personnel from key agencies, including deputy directors 
from the National Security Agency, the Department of Homeland Security, the Cen- 
tral Intelligence Agency, the U.S. Secret Service, and U.S. Cyber Command. Rein- 
forcing the role of the NCIJTF on cross-Government cyberthreat information shar- 
ing and coordination is a key priority for the FBI. 

Lastly, the FBI is working to strengthen local and national information sharing 
and collaboration efforts in support of network defense, intelligence operations, and 
disruption operations. And I cannot make the following statement frequently 
enough: the private sector is an essential partner if we are to succeed in defeating 
the cyberthreat our Nation confronts. I will discuss in more detail some of our col- 
laboration efforts with the private sector shortly. 

Current FBI Efforts To Combat Cyberthreats 

The FBI is engaged in a host of efforts to combat cyberthreats, from efforts fo- 
cused on threat identification and sharing inside and outside of Government, to our 
internal emphasis on developing and retaining new talent and changing the way we 
operate to evolve with the cyberthreat. I would like to take this opportunity to high- 
light a few of the ways we at the FBI are confronting this threat head on. 

FBI Liaison Alert System 

As I alluded to earlier in my testimony, the threat of botnets provides a good ex- 
ample of how the FBI is proactively working with industry partners to combat 
cyberthreats. To further assist with network defense and mitigation of botnets, the 
FBI created a document called the FBI Liaison Alert System message, or FLASH. 
Through the system, the FBI releases high confidence data to the private sector 
with indicators and alerts related to computer intrusions and DDoS attacks. From 
April 2013 to July 2014, the FBI disseminated 34 FLASH messages, about 20 of 
which dealt with threats against the financial sector. The FBI disseminated, among 
other information, indicators for approximately 115,000 compromised systems in 
these FLASH messages. These declassified, technical indicators, associated with in- 
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trusions, are meant to enable industry partners to be on the lookout for and defend 
their infrastructure from nefarious traffic on their networks. 

The FBI provided these FLASH messages to key partners across affected critical 
infrastructure sectors, to include: Tier 1 and 2 Internet Service Providers (ISPs), Do- 
main Name Server (DNS) root server operators, top-level domain (TLD) operators, 
and Five Eyes partners. When the FBI receives credible information regarding a 
threat to U.S. critical infrastructure, FBI coordinates with DHS to discuss and 
deconflict victim notification and mitigation strategies, at times involving other 
agencies, such as the Department of Treasury, as well. 

Guardian Victim Analysis Unit 

The FBI’s Guardian Victim Analysis Unit (GVAU) is a direct response to the 
President’s 2013 Executive Order 13636, which called for increases in the volume, 
timeliness, and quality of cyberthreat information shared with U.S. private-sector 
entities so that these entities may better defend themselves against cyberthreats. 
To help aid these entities and to enhance private-sector information-sharing efforts, 
the FBI established Cyber Guardian, a series of applications that enables actors in 
and outside of Government to share threat information. One Cyber Guardian appli- 
cation is available on a Secret enclave, and two applications known as eGuardian 
and iGuardian/InfraGard — both operating at the unclassified level — are available to 
State, Local, Tribal, and Territorial (SLTT) entities, and to the private sector, re- 
spectively. The Cyber Guardian applications provide a means for the FBI to rapidly 
disseminate reports on cyberthreat activity, in addition to a platform for coordina- 
tion and deconfliction of cyberthreat information. 

The Internet Crime Complaint Center 

Established in 2000, the Internet Crime Complaint Center (IC3) is a partnership 
between the FBI and the National White Collar Crime Center meant to serve as 
a vehicle to receive, develop, and refer criminal complaints regarding the rapidly ex- 
panding arena of cybercrime. During its infancy, the IC3 received approximately 
2,000 victim complaints per month. Now the IC3 receives approximately 800 com- 
plaints a day, with over 244,000 complaints received to date for the 2014 calendar 
year. In 2013, the IC3 received 262,813 consumer complaints with losses in excess 
of $781 million. The IC3 database currently houses more than 3.15 million con- 
sumer complaints dating back to its inception in 2000. 

The Domestic Security Alliance Council 

The Domestic Security Alliance Council (DSAC) is a strategic partnership between 
the U.S. Government and U.S. private industry, formed with the goal of increasing 
security by enhancing communications and promoting the timely and effective ex- 
change of security information among its constituents. The DSAC advances the 
FBI’s mission of preventing, detecting, and deterring criminal acts by facilitating 
strong, enduring relationships among its private industry members, FBI head- 
quarters divisions, FBI field offices, DHS headquarters, DHS fusion centers, and 
other Federal Government entities. 

The National Cyber -Forensics and Training Alliance 

The National Cyher-Forensics and Training Alliance (NCFTA) is composed of rep- 
resentatives of industry, academia, and the FBI, all working together to collaborate 
on combating cybercrime. The NCFTA provides a unique environment for informa- 
tion sharing between law enforcement, private industry, and academia. The NCFTA 
is a nonprofit group whose members include ISPs, banks, retailers, and a whole host 
of other industry representatives, along with law enforcement and academia, with 
a mission to identify cyberthreats and share information for mitigation and neutral- 
ization purposes. The NCFTA provides a one-of-a-kind opportunity for subject mat- 
ter experts to address global cyberthreats such as botnets, spam, and malware. Be- 
cause of its nonprofit status, the group can share information in a neutral environ- 
ment, develop a strategic understanding of the threat, and work to address 
cyberthreats collaboratively. 

National Industry Partnership Unit 

The FBI established an entity known as the National Industry Partnership Unit 
to develop partnerships through the InfraGard program between the FBI and pri- 
vate sector, academic, and other public entities, to support the FBI’s investigative 
programs. Established in the Cleveland field office in 1996, InfraGard was initially 
a local effort to gain support from the information technology industry and academia 
for the FBI’s investigative efforts in the cyber arena. InfraGard soon expanded to 
other FBI field offices, and in 2003 the Cyber Division assumed responsibility for 
the program. InfraGard and the FBI have developed a relationship of trust and 
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credibility in the exchange of information concerning various terrorism, intelligence, 
criminal, and security matters. InfraGard members gain access to information that 
enables them to protect their assets and in turn give information to the Government 
that facilitates its responsibilities in preventing and addressing terrorism and other 
crimes. This relationship supports information sharing at both the national and 
local levels, with the aim of increasing the level of information and reporting be- 
tween InfraGard members and the FBI on matters related to counterterrorism, 
cybercrime, and other major crime programs. 

Charting the Cyber Future 

The future cyberthreatscape will certainly be complex — based on recent advances 
in the sophistication of our adversaries, both State and non-State, it is hard to imag- 
ine what this threatscape will look like 10 or even 20 years down the road. Never- 
theless, we in the FBI pride ourselves on being a forward looking organization, and 
adapting to the challenges we face. The FBI Cyber Division — our agents, computer 
scientists, analysts, and personnel — are all working hard to outpace such threats on 
a daily basis, identifying, pursuing, and defeating our adversaries, wherever in the 
world they might be. 

There are, however, a number of ways that Congress might seek to aid us in our 
efforts. In particular, I would like to enumerate three concerns that new legislation 
or amendments to existing legislation could address that would strengthen our abil- 
ity to combat cyberthreats, as follows: 

• Updating the Computer Fraud and Abuse Act. The Computer Fraud and Abuse 
Act (CFAA) constitutes the primary Federal law against hacking, protecting the 
public against criminals who hack into computers to steal information, install 
malicious software, and delete files. The CFAA was first enacted in 1986, at a 
time when the problem of cybercrime was still in its infancy. Over the years, 
a series of measured, modest changes have been made to the CFAA to reflect 
new technologies and means of committing crimes and to equip law enforcement 
with the tools to respond to changing threats. The CFAA has not been amended 
since 2008, however, and the intervening years have again created the need for 
the enactment of modest, incremental changes. The Administration has pro- 
posed several such revisions to keep Federal criminal law up-to-date with rap- 
idly evolving technologies. 

Cyberthreats adapt and evolve at the speed of light, and we need laws on the 
books that reflect the most current means by which cyber actors are committing 
crimes. Updating the CFAA to reflect these changes would help strengthen our 
ability to punish, and therefore to deter, the crimes we seek to prevent. 

• Data Breach Notifications. We believe there is a strong need for a uniform Fed- 
eral standard holding certain types of businesses accountable for data breaches 
and theft of electronic personally identifiable information. Businesses should, 
for example, be required to provide prompt notice to consumers in the wake of 
a certain cyber attacks. Such a standard would not only hold businesses ac- 
countable for breaches, but would also assist in FBI and other law enforcement 
efforts to identify, pursue, and defeat the perpetrators of cyher attacks. 

• Information Sharing. Although the Government and the private sector already 
share cyberthreat information on a daily basis, legislation can enhance the 
value and benefit of these information-sharing relationships. The Government 
and the private sector both have critical and unique insights into the 
cyberthreats we face, and sharing these insights is necessary to enhance our 
mutual understanding of the threat. Similarly, the operational collaboration re- 
quired to identify cyberthreat indicators and to mitigate intrusions requires the 
exact type of sharing we seek in the first place. As such, the FBI supports legis- 
lation that would establish a clear framework for sharing and reduce risk in the 
process, in addition to providing strong and straightforward safeguards for the 
privacy and civil liberties of Americans. U.S. citizens must have confidence that 
threat information is being shared appropriately, and we in the law enforce- 
ment and intelligence communities must be as transparent as possible. We also 
want to ensure that all the relevant Federal partners receive the information 
in real time. 

The bottom line, however, is that current levels of information sharing are insuffi- 
cient to address the cyberthreats we face, specifically with regards to the financial 
sector. The U.S. is currently facing sophisticated, well-resourced adversaries, and 
minimum security requirements are needed to harden our critical infrastructure 
networks. The Government and private sector should collaborate to develop these 
requirements, and we believe that legislation would help to further these ends. 
There area host of statutory and regulatory restrictions as well that provide nar- 
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rowly tailored liability protections for appropriate cyber information sharing. Fur- 
ther, there are a number of regulatory and statutory concerns that private actors 
may express when it comes to sharing cyberthreat information with the Govern- 
ment, and new legislation can and should be crafted to address these concerns. The 
events of the last year, and the continuing high-profile cyber attacks on major 
American companies, should serve to highlight the need for new engagement 
against cyberthreats on every level possible. 

In the absence of the passage of cybersecurity legislation, however, the Adminis- 
tration is taking steps in the right direction to ensure that we can share informa- 
tion, in a practical and meaningful way. One such step is Executive Order (EO) 
13636, entitled “Improving Critical Infrastructure Cybersecurity” and which I ad- 
dressed briefly earlier, signed by the President in February 2013 and designed to 
provide critical infrastructure owners and operators with assistance to address 
cyberthreats and manage risks. The EO calls for the Government to collaborate 
more closely with industry by sharing information about cyberthreats and jointly de- 
veloping a framework of cybersecurity standards and best practices. One of the EO’s 
main goals is to improve Government information sharing with critical infrastruc- 
ture owners and operators regarding cyberthreats, including attack signatures and 
other technical data. The FBI would, however, welcome more active engagement 
from Congress on these matters. Although the EO is a step in the right direction, 
robust cybersecurity legislation is still needed. As partners across the Government 
and private sector have explored the ways we can operate, under existing laws, to 
implement the requirements of the EO, we are well positioned to have a more in- 
formed dialogue with Congress, and to improve our ability to address cyberthreats. 

Conclusion 

In conclusion, Mr. Chairman, the FBI is focusing our resources, expanding our 
presence at the local, national and international levels, and engaging in cooperation 
with the private sector and intergovernmental collaboration. As the Committee 
knows well, we face considerable challenges in our efforts to combat cybercrime, and 
yet we remain optimistic that by identifying, pursuing, arresting and prosecuting 
these offenders we will defeat our cyber adversaries and continue to succeed in neu- 
tralizing these threats. My colleagues at the FBI and I look forward to working with 
the Committee and with Congress in protecting our Nation from the evolving threat 
posed by cyber actors. Thank you again for the opportunity to appear before you 
today. I would be happy to answer any questions you may have. 
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RESPONSES TO WRITTEN QUESTIONS OF SENATOR CRAPO 
FROM BRIAN PERETTI 

Q.l. Fast, efficient sharing of actionable cyberthreat information 
between law enforcement, the intelligence community, and industry 
is a vitally important component of protecting information systems. 
While we have seen significant progress over the past couple years 
in the timeliness and quality of information sharing, there is still 
room for improvement. Please describe, first, what steps are being 
taken at your agency or Department to improve the information- 
sharing process and more quickly disseminate actionable informa- 
tion to those who need it. 

A.l. As the Sector Specific Agency for the Financial Sector, Treas- 
ury encourages private sector membership in the Financial Sector 
Information Sharing and Analysis Center (FS-ISAC). FS-ISAC 
membership has increased significantly over the past year and 
Treasury expects this trend to continue. As any ISAC is only as 
valuable as the information shared within it. Treasury also pro- 
motes and encourages individual private sector firms to actively 
share information through the organization. Increasing the number 
of private sector firms that actively share information within the 
FS-ISAC is a key goal for improving information sharing. 

Treasury has created an information sharing and analysis unit, 
known as the Financial Sector Cyber Intelligence Group (CIG) to 
increase information sharing across the financial services industry. 
The CIG is a section within Treasury’s Office of Critical Infrastruc- 
ture Protection and Compliance Policy that focuses on cybersecu- 
rity information sharing with the financial sector. Its purpose is to 
increase the volume, timeliness and quality of cyberthreat informa- 
tion shared between the Government and the financial services sec- 
tor as called for under Executive Order 13636 on Improving Crit- 
ical Infrastructure Cybersecurity and Presidential Policy Directive 
21 on Critical Infrastructure Security and Resilience, which des- 
ignates Treasury as the Sector Specific Agency for the Financial 
Services Sector. The CIG was established in response to a need 
identified by the financial sector for the Government to have a focal 
point for sharing cyberthreat-related information with the sector. 

The CIG identifies and analyzes all-source intelligence on 
cyberthreats to the financial sector; shares timely, actionable infor- 
mation that alerts the sector to threats and enables firms’ preven- 
tion and mitigation efforts; and solicits feedback and information 
requirements from the sector. It produces threat and mitigation 
bulletins, called CIG Circulars; responds to Requests for Informa- 
tion from the financial sector about specific issues of concern to 
them; delivers classified briefings to appropriately cleared financial 
sector representatives; and encourages the sharing of information 
on specific threats to financial institutions. The CIG has a rep- 
resentative at the Department of Homeland Security’s (DHS) Na- 
tional Cybersecurity and Communications Integration Center 
(NCCIC) and Treasury will support any new national initiative 
aimed at integrating cyberthreat intelligence efforts. The CIG is 
currently developing tools, systems, and processes to automate in- 
formation sharing. Once these mechanisms are in place, the CIG 
will be able to share cyberthreat indicators with the financial sec- 
tor in a machine readable format. 
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Q.2. Second, what obstacles or constraints delay the dissemination 
of such information? 

A.2. Treasury engages frequently with individual financial institu- 
tions, industry groups, and interagency partners to understand, as- 
sess, and improve upon cybersecurity information sharing. Cyberse- 
curity information sharing has improved in recent years, and we 
believe it is critically important that industry and Government con- 
tinuously work together to improve the quality and timeliness of 
such information. 

Generally, we see future work in improving information sharing 
processes focusing on: 

• Sharing information from Government to industry, from indus- 
try to Government, and between individual companies within 
industry, including through working to address industry con- 
cerns over liability, regulatory use of information, and possible 
release of information through FOIA and other sunshine re- 
quirements; and 

• Working with interagency and private sector partners to lever- 
age DHS’s STIX/TAXII protocol to automate information shar- 
ing processes. STIX/TAXII facilitates cyberthreat indicator 
sharing in a machine readable format. 

Q.3. Financial institutions generally do a very good job sharing in- 
formation with each other, but there is much less information shar- 
ing that occurs with other sectors. Because companies in different 
sectors can often be victims of the same attacks, robust cross-sector 
coordination is a key piece of the cybersecurity effort. What are 
some of the steps Treasury has taken or plans to take to promote 
better cross-sector coordination and information sharing? 

A.3. Treasury recognizes that the financial sector is critically de- 
pendent on services provided by other sectors, including the energy, 
telecommunications, and information technology sectors. For this 
reason, we are working closely with the financial sector and our 
interagency partners to build processes for effectively sharing infor- 
mation across sectors. These efforts include working with the De- 
partment of Energy to promote the sharing of best practices across 
sectors, planning and participating in cross sector cybersecurity ex- 
ercises, and sharing and receiving information from DHS’s NCCIC, 
which serves as a focal point for cross-sector sharing among Gov- 
ernment and private sector entities. 


RESPONSES TO WRITTEN QUESTIONS OF 
SENATOR MENENDEZ FROM BRIAN PERETTI 

Q.l. As you know. Federal financial regulators have supervisory 
authority with respect to the cybersecurity efforts of regulated fi- 
nancial institutions. For example, the Gramm-Leach-Bliley Act re- 
quires financial institutions to safeguard consumers’ personal infor- 
mation. But today’s financial system extends far beyond regulated 
financial institutions — in the consumer payments area alone, for 
example, it extends to payment networks, merchants, and third- 
party payment processors, to name a few. 

Aside from the Federal Trade Commission’s Section 5 authority 
to guard consumers against unfair, deceptive, or abusive practices. 
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there seems to be a critical gap in the standards and attention that 
apply to parts of the system beyond financial institutions. In last 
year’s data breach at Target, for example, a third-party vendor’s 
credentials were used to infiltrate a retailer’s system, resulting in 
the theft of consumer financial information. 

How do you see the role of the Department of Homeland Security 
and other Federal Government actors in protecting against cyberse- 
curity risks to the financial system more broadly, beyond just regu- 
lated institutions that are supervised by financial regulators? 

A.l. Treasury communicates directly with financial institutions 
and other financial services sector organizations and works with 
other agencies and private sector groups to leverage communication 
channels in order to emphasize the importance of risk and vulner- 
ability defenses within the whole system so that institutions can 
make appropriate risk management decisions. Paying attention to 
the whole risk picture requires attention to internal systems as 
well as vendor systems and services. 

Treasury has been widely promoting the value of using the Na- 
tional Institute of Standards and Technology (NIST) Cybersecurity 
Framework to not only promote cybersecurity internally; but also 
for financial institutions to use this framework as a way to assess 
their entire supply chain, including third-party vendors. Treasury 
provides cyberthreat and best practices information to Federal and 
State financial regulators so that regulators can use this informa- 
tion to inform their supervisory oversight and incorporate this in- 
formation into their examination procedures going forward. Treas- 
ury worked with regulators through the Financial Stability Over- 
sight Council (FSOC) to identify cybersecurity as a key operational 
risk in its 2014 report, but remains concerned about regulators’ 
limited ability to provide oversight of third party suppliers. 

Q.2. What tools do DHS and other Federal Government actors have 
to address risks to parts of the financial system outside of regu- 
lated institutions, such as payment networks, other than through 
financial regulators’ supervision of regulated institutions’ relation- 
ships with third-party vendors? 

A.2. Treasury partners with Financial and Banking Information In- 
frastructure Committee (FBIIC) member agencies to address risks 
to parts of the financial system outside of regulated institutions. 
Treasury continues to encourage financial services firms to utilize 
the NIST Cybersecurity Framework, which includes holding busi- 
ness partners, suppliers, and customers accountable to its risk 
management approach. In particular, efforts by the Securities In- 
dustry and Financial Markets Association (SIFMA) to develop 
auditable standards of the Framework may be beneficial in sup- 
porting broad adoption of best practices across the supply chain. 

Treasury works closely with other agencies to identify and pro- 
vide information that may be of use to private sector firms, and 
shares this information through FS-ISAC. Many of the financial 
sector technology service providers are members of FS-ISAC. 
Treasury encourages the sharing of information with other third- 
party service providers across sectors as appropriate. 

Treasury also chairs the Committee on Foreign Investments in 
the United States (CFIUS). CFIUS reviews business transactions 
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that could result in control of a U.S. business by a foreign owned 
or controlled entity to determine the effect of such transactions on 
national security, including increased risk to parts of the financial 
sector outside of regulated institutions such as third party hard- 
ware or software vendors. 

Q.3. Are there additional tools that would be helpful to have? 

A.3. Treasury supports cyber legislation to increase information 
sharing that: facilitates cybersecurity information sharing between 
the Government and the private sector, as well as among private 
sector companies; incentivizes the adoption of best practices and 
standards for critical infrastructure protection by complementing 
the process set forth under the Executive Order; gives law enforce- 
ment the tools to fight crime in the digital age; updates Federal 
agency network security laws, and codifies DHS’s cybersecurity re- 
sponsibilities; creates a national data breach reporting require- 
ment; incorporates appropriate privacy and civil liberties safe- 
guards; reinforces the appropriate roles of civilian and intelligence 
agencies; and, includes targeted liability protections. 


RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARNER 
FROM BRIAN PERETTI 

Q.l. In responding to all questions below (in every category), please 
respond as if a “data security breach” is the “unauthorized access 
to, or acquisition from, a system operated or maintained by a finan- 
cial institution or other entity within the financial services indus- 
try, or an agent, affiliated organization or service provider to that 
financial institution or other financial services entity, that com- 
promises the protection, security, integrity, confidentiality, or pri- 
vacy of any customer financial information that is itself personally 
identifiable or that may be associated with personally identifiable 
information of a customer.” 

How many data security breaches of systems operated or main- 
tained by a financial institution or other entity within the financial 
services industry — whether such breach has been publicly reported 
or not — is your Government department or agency aware occurred 
during 2013 or 2014? In responding to this question, please note 
the following request for an explanation: 

If your response to the forgoing question is that you do not have 
knowledge of any such data security breaches whatsoever, please 
indicate why your department or agency is not aware of any 
breaches given the public reports of multiple breaches within the 
industry in 2013 or 2014. 

Additionally, if your department or agency has knowledge of such 
data security breaches that includes nonpublic information, and 
your answer will indicate that your are subject to a confidentiality 
obligation that prohibits your answering this question completely, 
please indicate which specific Federal law or other rule prohibits 
you from testifying to the Committee about this information on 
data security breaches of which your department or agency has 
knowledge. 

A.I. Treasury does not investigate data security breaches, track 
data security breach investigation statistics, or have authority to 
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compel financial institutions to report information associated with 
data breaches. For this reason, we do not maintain a database of 
data security breach incidents. Instead, our efforts are focused on 
engaging with cybersecurity and law enforcement partners, inde- 
pendent regulators, and the sector itself to share information re- 
lated to the technical details of a broad range of cyber incidents to 
reduce the risk of these incidents occurring elsewhere. 

Q.2. Of those data security breaches at financial institutions and/ 
or other entities within the financial services industry which your 
department or agency is aware occurred in 2013 or 2014, please in- 
dicate: 

Approximately how many financial services customers — whether 
individuals or organizations — ^you estimate were affected by each of 
those data security breaches. 

How many data security breaches resulted in individual cus- 
tomer notices mailed, emailed, or otherwise personally delivered to 
affected customers by the financial institution or other financial 
services entity? 

How many data security breaches resulted in some form of public 
notice by the financial institution or other financial services entity? 
(In response to this subquestion, please indicate for each data secu- 
rity breach if notice was made to major media outlets in the geo- 
graphic region served by the institution or entity, and/or if the no- 
tice resulted from media reports following a public regulatory fil- 
ing.) 

How many data security breaches have never resulted in any 
form of individual customer notices mailed, emailed, or otherwise 
personally delivered to affected customers by the financial institu- 
tion or other financial services entity? 

A.2. Treasury does not investigate data security breaches, track 
data security breach investigation statistics, or have authority to 
compel financial institutions to report information associated with 
data breaches. For this reason, we do not maintain a database of 
data security breach incidents. Instead, our efforts are focused on 
engaging with cybersecurity and law enforcement partners, inde- 
pendent regulators, and the sector itself to share information re- 
lated to the technical details of a broad range of cyber incidents to 
reduce the risk of these incidents occurring elsewhere. 

Q.3. Of those data security breaches which you are aware occurred 
in 2014, and for which no individual customer notice was given by 
the financial institution or other financial services entity, has your 
department or agency investigated the circumstances of the breach 
and considered taking any action to require or encourage individual 
customer notice of the same by such institution or entity? 

A.3. Treasury does not investigate data security breaches, track 
data security breach investigation statistics, or have authority to 
compel financial institutions to report information associated with 
data breaches. For this reason, we do not maintain a database of 
data security breach incidents. Instead, our efforts are focused on 
engaging with cybersecurity and law enforcement partners, inde- 
pendent regulators, and the sector itself to share information re- 
lated to the technical details of a broad range of cyber incidents to 
reduce the risk of these incidents occurring elsewhere. 
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Q.4. Has your department or agency ever engaged in any enforce- 
ment action against a financial institution or other entity within 
the financial services industry for failure to individually notify af- 
fected customers of a data security breach suffered by that entity? 
A.4. No. Treasury does not have authority to take enforcement ac- 
tion in this regard. 

Q.5. Has your department or agency ever assessed any civil pen- 
alty or fine against a financial institution or other entity within the 
financial services industry for failure to individually notify affected 
customers of a data security breach suffered by that entity? 

A.5. No. Treasury does not have authority to take enforcement ac- 
tion in this regard. 

Q.6. If the answer to either question 4 or 5 is yes, please specify 
the specific date of the department or agency action, the type of ac- 
tion taken, the entity which was subject to the action, and the 
amount of any penalty or fine that was assessed. If the answer to 
either question is no, please indicate the reason why your depart- 
ment or agency has not. 

A.6. Treasury does not have authority to take enforcement action 
in this regard. 


RESPONSES TO WRITTEN QUESTIONS OF SENATOR CRAPO 
FROM PHYLLIS SCHNECK 

Q.l. Fast, efficient sharing of actionable cyberthreat information 
between law enforcement, the intelligence community, and industry 
is a vitally important component of protecting information systems. 
While we have seen significant progress over the past couple years 
in the timeliness and quality of information sharing, there is still 
room for improvement. Please describe, first, what steps are being 
taken at your agency or Department to improve the information- 
sharing process and more quickly disseminate actionable informa- 
tion to those who need it. 

A.l. The Department of Homeland Security (DHS) has made sig- 
nificant progress during the last 18 months to improve information 
sharing. Congress recognized this good work last year when it 
unanimously passed a law recognizing the National Cybersecurity 
and Communications Integration Center’s (NCCIC) central role to 
coordinate and serve as an interface for cybersecurity information 
across the Government and private sector. In January 2015, the 
President announced a legislative proposal that builds on this sig- 
nificant action taken by Congress. The Administration’s 2015 legis- 
lative proposal encourages the private sector to share appropriate 
cyberthreat indicators with the NCCIC by providing targeted liabil- 
ity protection for companies that share threat indicator informa- 
tion. The proposal aims to increase the speed, quality, and fre- 
quency of existing information sharing between the Government 
and private-sector entities, to better protect against the shared 
threat of cyber attacks. 

We are actively working to maximize to the fullest extent pos- 
sible the near-real-time dissemination of all relevant and action- 
able cyberthreat indicators among the private sector and Federal 
Departments for the purpose of network defense, while incor- 
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porating all appropriate privacy protections. We continue to make 
progress as Congress addresses key information-sharing con- 
straints such as industries’ concerns over liability protections. 

DHS has a number of programs and initiatives dedicated to forg- 
ing and maintaining the public and private-sector trust-relation- 
ships that enable meanin^ul information sharing including: part- 
nerships with critical infrastructure owners and operators to en- 
sure cohesive cybersecurity efforts; the Critical Infrastructure 
Cyber Community Voluntary Program (C3 Voluntary Program) of- 
fering cybersecurity resources to private and public-sector entities 
through DHS who voluntarily commit to the cybersecurity frame- 
work created as a result of Executive Order 13636; the sharing of 
sensitive indicators that support intrusion prevention measures 
through Enhanced Cybersecurity Services (ECS); as well as ongo- 
ing collaboration with the private sector through the NCCIC, 
DHS’s 24/7 center for cybersecurity incident response, prevention 
and mitigation. 

DHS is increasing the speed of indicator information sharing 
through the implementation of the Structured Threat Information 
expression (STIX) protocol and the Trusted Automated Exchange 
of Indicator Information (TAXII) a transport protocol. These proto- 
cols provide a structured framework for information sharing and 
dissemination that enables the analysis of full-spectrum 
cyberthreat information; a common language in which to share 
cyberthreat information across organizations and products; and a 
common set of services and messages that can be implemented to 
share information. TAXII and STIX are intended for use by Gov- 
ernment and industry Computer Security Incident Response Teams 
to enable timely and secure threat information sharing. All threat 
sharing models, including hub-and-spoke, peer-to-peer, and source- 
subscriber, can take advantage of the standardization offered by 
TAXII and STIX. These protocols are in operational use today 
among several Information Sharing and Analysis Centers, within 
the Cyber Information Sharing and Collaboration Program 
(CISCP), and are being implemented across the NCCIC enterprise. 

CISCP, which began in January 2012, established a systematic 
approach to cyberthreat information sharing and collaboration be- 
tween critical infrastructure owners and operators across all crit- 
ical infrastructure sectors. Partners who have signed the CISCP 
Cooperative Research and Development Agreement share unclassi- 
fied, actionable, timely threat indicator data to enhance the protec- 
tion of themselves and in many cases their customers and constitu- 
ents. Important analytic collaboration meetings are held monthly 
at the unclassified level and quarterly at the classified secret level 
among CISCP partners. 

With respect to cyberthreat intelligence, DHS’s Office of Intel- 
ligence & Analysis (I&A) conducts cyberthreat intelligence outreach 
and engagements with key critical infrastructure sectors at the 
broadest level possible, with an emphasis on providing unclassified 
cyberthreat intelligence to increase owner and operator awareness 
and encourage them to make use of associated indicator data in 
their protection systems. I&A provides tailored analysis of 
cyberthreat activity to various private sector. State and local, and 
Federal partners to develop a common baseline understanding of 
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cyberthreats and enable decision makers to protect, prevent, and 
mitigate against cyberthreats. 

DHS developed the C3 Voluntary Program to assist critical infra- 
structure in their adoption of the National Institute of Standards 
and Technology’s Cybersecurity Framework, and to extend a range 
of cybersecurity resources to critical infrastructure including, 
among other things, information-sharing opportunities. 

The ECS program is a voluntary information-sharing program 
that assists critical infrastructure owners and operators to improve 
protection of their systems from unauthorized access, exploitation, 
or data exfiltration. ECS consists of the operational processes and 
security oversight required to share sensitive and classified 
cyberthreat information with qualified Commercial Service Pro- 
viders (CSP) that will enable them to better protect their customers 
who are critical infrastructure entities. The ECS program develops 
threat “indicators” with this information and provides CSPs with 
those indicators of active, malicious cybersecurity activity. CSPs 
may use these threat indicators to provide approved cybersecurity 
services to critical infrastructure entities. 

Q.2. Second, what obstacles or constraints delay the dissemination 
of such information? 

A.2. We believe that carefully updating laws to facilitate cybersecu- 
rity information sharing is one of several legislative changes essen- 
tial to protect individuals’ privacy and improve the Nation’s cyber- 
security. Such legislation should, among other things, provide for 
appropriate sharing with targeted liability protections. 

The Administration’s updated legislative proposal promotes bet- 
ter cybersecurity information sharing between the private sector 
and Government, and it enhances collaboration and information 
sharing amongst the private sector. Specifically, the proposal en- 
courages the private sector to share appropriate cyberthreat infor- 
mation with the DHS NCCIC, and with private-sector developed 
and operated Information Sharing and Analysis Organizations 
(ISAOs), by providing targeted liability protection for companies 
that share information with these entities. Once information is re- 
ceived, the DHS NCCIC will then share it in as close to real-time 
as practicable with relevant Federal agencies and relevant ISAOs. 
It does not provide protection for individual private-sector entities 
sharing directly with one another. 

The proposed legislation also encourages the formation of these 
ISAOs. The Administration’s proposal would also safeguard Ameri- 
cans’ personal privacy by requiring private entities to comply with 
certain privacy restrictions such as removing unnecessary personal 
information and taking measures to protect any personal informa- 
tion that must be shared in order to qualify for liability protection. 
The proposal further requires the Department of Homeland Secu- 
rity and the Attorney General, in consultation with the Privacy and 
Civil Liberties Oversight Board, the Director of the Office of Man- 
agement and Budget, and others, to develop receipt, retention, use, 
and disclosure guidelines for the Federal Government. Finally, the 
Administration intends this proposal to complement and not to 
limit existing effective relationships between Government and the 
private sector. These existing relationships between law enforce- 
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ment and other Federal agencies are critical to the cyhersecurity 
mission. 

Q.3. On November 14, 2014, the DHS Office of Inspector General 
released a report that made some criticisms of DHS’s cyhersecurity 
efforts. The report found insufficient staffing at National Cyherse- 
curity and Communications Integration Center (NCCIC) and the 
Office of Intelligence and Analysis, and insufficient technical train- 
ing of staffers. The report also stated that DHS faces continuing 
challenges in sharing cyher incident information with Federal oper- 
ations centers and coordinating effective responses. There have also 
heen other reports of low staff morale and high staff turnover at 
key positions. Please discuss these problems in more detail and ex- 
plain what the Department is doing to address them. Specifically, 
please explain what DHS is doing to ensure that information is 
being shared as quickly and efficiently as possible. 

A.3. In regards to the specific recommendations mentioned in the 
November 2014 Office of Inspector General (GIG) report, NPPD 
has done the following: OIG-14-02, DHS Efforts To Coordinate the 
Activities of Federal Cyber Operations Centers. 

• Recommendation #2: Collaborate with the Department of De- 
fense (DOD) and National Institute of Standards and Tech- 
nology (NIST) to develop a standard set of incident categories 
to ensure seamless information sharing between all Federal 
cyber operations centers. The United States Computer Emer- 
gency Readiness Team (U.S.-CERT) published the Revised 
Guidelines on October 1, 2014, and OIG closed this rec- 
ommendation in October 7, 2014. 

• Recommendation #4: Collaborate with I&A management to in- 
crease the number of its analysts available for continuous cov- 
erage at the NCCIC to provide more intelligence and analysis 
to all sectors. I&A did not receive the budget to increase the 
number of analysts for continuous coverage. It is uncertain 
when I&A will be able to increase the number of its analysts 
available for continuous coverage at the NCCIC. Due to uncer- 
tainty surrounding future budget years, the OIG closed this 
recommendation on January 7, 2015. 

DHS’s Office of Intelligence and Analysis is a key partner in 
NCCIC activities, providing tailored all-source cyberthreat intel- 
ligence and warning to NCCIC components and public and private 
critical infrastructure stakeholders to prioritize risk analysis and 
mitigation. 

Within the NCCIC, the U.S. Computer Emergency Readiness 
Team (U.S.-CERT) provides response support and defense against 
cyber attacks for Federal civilian agency networks as well as pri- 
vate-sector partners upon request. U.S.-CERT collaborates and 
shares information with State and local government, industry, and 
international partners, consistent with rigorous privacy, confiden- 
tiality, and civil liberties guidelines, to address cyberthreats and 
develop effective security responses. In fiscal year (FY) 2014, U.S.- 
CERT processed approximately 55,523 cyber incidents involving 
Federal agencies, critical infrastructure, and our industry partners. 
In addition, U.S.-CERT issued 7,655 actionable cyber alerts in 
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FY2014 that were used by private sector and Government agencies 
to protect their systems. 

The Department’s Industrial Control Systems Cyber Emergency 
Response Team (ICS-CERT) responded to 240 incidents in FY2014 
while completing 75 on-site assistance visits for response and re- 
covery for significant private-sector cyber incidents. DHS also em- 
powers owners and operators through a cyber self-evaluation tool, 
which was downloaded by more than 4,800 users in FY2014. ICS- 
CERT also trained more than 640 professionals in the Industrial 
Control Systems security industry. 

Successful response to dynamic cyberthreats requires leveraging 
sector specific agencies (SSAs), homeland security, law enforce- 
ment, and military authorities and capabilities, which respectively 
promote sector resilience, domestic preparedness, criminal deter- 
rence and investigation, and national defense. DHS, DOD, and the 
Department of Justice (DOJ), each play a key role in responding 
to cybersecurity incidents that pose a risk to the United States. In 
addition to the aforementioned responsibilities of our Department, 
SSAs like the Treasury Department develop and implement sector 
specific plans unique to respective sectors through a coordinated ef- 
fort involving public and private-sector partners. DOJ is the lead 
Federal department responsible for the investigation, attribution, 
disruption, and prosecution of cybercrimes, while DOD is respon- 
sible for securing national security and military systems as well as 
gathering foreign cyberthreat information and defending the Na- 
tion from attacks in cyberspace. DHS supports our partners in 
many ways. For example, the United States Coast Guard as an 
Armed Force has partnered with U.S. Cyber Command and U.S. 
Strategic Command to conduct military cyberspace operations. 

While each agency operates within the parameters of its authori- 
ties, the U.S. Government’s response to cyber incidents of con- 
sequence is coordinated among these three agencies. Synchroni- 
zation among SSAs, DHS, DOJ, and DOD not only ensures that 
whole of Government capabilities are brought to bear against 
cyberthreats, but also improves Government’s ability to share time- 
ly and actionable cybersecurity information among a variety of 
partners, including the private sector. 

Q.4. Please explain what DHS is doing to better train and retain 
key employees? 

A.4. The recently passed Border Patrol Agent Pay Act of 2014 and 
Cybersecurity Workforce Assessment Act both contain provisions 
that require DHS to assess its current cybersecurity needs and 
workforce and to plan for the future. As part of the requirements 
of the two bills, DHS must inventory cybersecurity positions, attach 
workforce codes corresponding to the National Initiative for Cyber- 
security Education (NICE) Framework, identify critical needs and 
develop a plan for achieving those. Using those workforce codes, 
DHS will be better-positioned to identify associated training needs 
and opportunities specific to employees’ roles in the Department. 
The recent legislation also allows for hiring authorities for cyberse- 
curity positions, and provides authority to set pay scale and incen- 
tives for certain cybersecurity positions. 
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RESPONSES TO WRITTEN QUESTIONS OF 
SENATOR MENENDEZ FROM PHYLLIS SCHNECK 

Q.l. As you know, Federal financial regulators have supervisory 
authority with respect to the cybersecurity efforts of regulated fi- 
nancial institutions. For example, the Gramm-Leach-Bliley Act re- 
quires financial institutions to safeguard consumers’ personal infor- 
mation. But today’s financial system extends far beyond regulated 
financial institutions — in the consumer payments area alone, for 
example, it extends to payment networks, merchants, and third- 
party payment processors, to name a few. 

Aside from the Federal Trade Commission’s Section 5 authority 
to guard consumers against unfair, deceptive, or abusive practices, 
there seems to be a critical gap in the standards and attention that 
apply to parts of the system beyond financial institutions. In last 
year’s data breach at Target, for example, a third-party vendor’s 
credentials were used to infiltrate a retailer’s system, resulting in 
the theft of consumer financial information. 

How do you see the role of the Department of Homeland Security 
and other Federal Government actors in protecting against cyberse- 
curity risks to the financial system more broadly, beyond just regu- 
lated institutions that are supervised by financial regulators? 

A.l. Addressing cybersecurity risks involves a range of policy tools 
and approaches, including voluntary assistance in implementing ef- 
fective cybersecurity measures, and threat reduction through crimi- 
nal investigations or other means. DHS plays a leading role 
through the National Protection and Programs Directorate which 
provides support through cybersecurity information-sharing pro- 
grams and direct technical assistance when appropriate and re- 
quested, and the Secret Service and Immigration and Customs En- 
forcement conduct criminal investigations. 

DHS strengthens the cybersecurity of the financial sector 
through voluntary measures by working in partnership with the Fi- 
nancial Services Information Sharing and Analysis Center, the 
Treasury Department, and private industry. USSS is a leader in 
investigating cybercrime across a variety of industries and partners 
closely with DOJ to apprehend and prosecute these criminals. The 
Federal Trade Commission, Consumer Financial Protection Bu- 
reau, Securities and Exchange Commission, and other entities with 
relevant regulatory authorities, enforce their regulations as they 
relate to cybersecurity consistent with their authorities. While co- 
ordinated action is important, this needs to be balanced with the 
need to foster private-sector cooperation by maintaining some dis- 
tinction and separation between regulatory, criminal law enforce- 
ment, and cybersecurity protection assistance. 

Q.2. What tools do DHS and other Federal Government actors have 
to address risks to parts of the financial system outside of regu- 
lated institutions, such as payment networks, other than through 
financial regulators’ supervision of regulated institutions’ relation- 
ships with third-party vendors? 

A.2. DHS performs a leading role in both aiding industry in imple- 
menting effective cybersecurity protections and reducing the 
cybercrime risks they face through effective criminal investigations. 
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DHS works with a range of public and private partners to execute 
its role in addressing cybersecurity risks. 

As it relates specifically to payment systems, most of the rel- 
evant cybersecurity requirements are developed by the Payment 
Card Industry (PCI) Security Council and enforced through con- 
tracts between financial institutions, payment processors, and re- 
tailers. The United States Secret Service works with the PCI Secu- 
rity Council and private industry to inform the development of 
these and other security standards based upon current trends in 
cybercrime activity. This private-sector driven cybersecurity stand- 
ards system has proven to be highly adaptive to changes in tech- 
nology, as well as to changes in cybercriminal techniques, and pro- 
vide effective incentives for changes to security standards. On Jan- 
uary 1, 2015, version 3.0 of the PCI Data Security Standards re- 
placed version 2.0 to become the new standard. 

Q.3. Are there additional tools that would be helpful to have? 

A.3. DHS is focused on performing its role in providing voluntary 
cybersecurity assistance to private companies and conducting 
criminal investigations to identify and apprehend those responsible 
for computer intrusions. Further strengthening these capabilities 
will assist DHS in accomplishing its mission to safeguard and se- 
cure cyberspace. 

As necessary, DHS will continue to work with its partners in the 
interagency and in Congress to develop and advance legislative 
proposals that foster rapid cybersecurity information sharing and 
that strengthen Federal law enforcement’s authorities to inves- 
tigate cybercrime, including the President’s recent cybercrime au- 
thorities proposal which includes increased authorities to prosecute 
cybercrimes. 


RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARNER 
FROM PHYLLIS SCHNECK 

Q.l. In responding to all questions below (in every category), please 
respond as if a “data security breach” is the “unauthorized access 
to, or acquisition from, a system operated or maintained by a finan- 
cial institution or other entity within the financial services indus- 
try, or an agent, affiliated organization or service provider to that 
financial institution or other financial services entity, that com- 
promises the protection, security, integrity, confidentiality, or pri- 
vacy of any customer financial information that is itself personally 
identifiable or that may be associated with personally identifiable 
information of a customer.” 

How many data security breaches of systems operated or main- 
tained by a financial institution or other entity within the financial 
services industry — whether such breach has been publicly reported 
or not — is your Government department or agency aware occurred 
during 2013 or 2014? In responding to this question, please note 
the following request for an explanation: 

If your response to the forgoing question is that you do not have 
knowledge of any such data security breaches whatsoever, please 
indicate why your department or agency is not aware of any 
breaches given the public reports of multiple breaches within the 
industry in 2013 or 2014. 
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Additionally, if your department or agency has knowledge of such 
data security breaches that includes nonpublic information, and 
your answer will indicate that your are subject to a confidentiality 
obligation that prohibits your answering this question completely, 
please indicate which specific Federal law or other rule prohibits 
you from testifying to the Committee about this information on 
data security breaches of which your department or agency has 
knowledge. 

A.l. There were 14 incidents reported from the financial sector that 
are associated with data breaches in 2013-2014. Bear in mind that 
private entities are not required to report breaches to the NCCIC, 
though we make effort to encourage them to share information so 
that we can better inform our private and public partners. The 
NCCIC is the Federal coordination point for information sharing 
and analysis. We maintain trust-based relationships across the 
public and private sector to encourage entities to share information 
and to request assistance as needed, without fear of reprisal. 

Through the Protected Critical Infrastructure Information (PCII) 
program, information voluntarily given by the private sector for 
homeland security purposes is exempt from disclosure except under 
specific procedures for Congressional disclosure. The PCII Program 
is an information-protection program that enhances voluntary in- 
formation sharing between infrastructure owners and operators 
and the Government. PCII protections mean that homeland secu- 
rity partners can be confident that sharing their information with 
the Government will not expose sensitive or proprietary data. Des- 
ignating information as PCII provides a level of protection that fa- 
cilitates DHS’s ability to work directly with the infrastructure own- 
ers and operators to identify vulnerabilities, mitigation strategies, 
and protective measures. 

While protecting their information, DHS has the responsibility to 
provide assistance to those private-sector entities who request it 
and who voluntarily share information regarding an incident. Upon 
receipt of a Request for Technical Assistance (RTA), DHS provides 
on-site and/or remote operational support to Government and pri- 
vate-sector partners, focusing most specifically on supporting reme- 
diation, posture adjustment, and recovery efforts. DHS coordinates 
RTAs with DOJ and DOD, and participates in interagency response 
teams. 

A DHS response team typically includes malware analysts, con- 
trol systems experts, netflow analysts, and DHS law enforcement 
representation, when appropriate. Information learned during the 
operational support process is used not only to support the victim, 
but is also integrated (without attribution) into DHS’s information- 
sharing products for the broader community. 

Q.2. In responding to all questions below (in every category), please 
respond as if a “data security breach” is the “unauthorized access 
to, or acquisition from, a system operated or maintained by a finan- 
cial institution or other entity within the financial services indus- 
try, or an agent, affiliated organization or service provider to that 
financial institution or other financial services entity, that com- 
promises the protection, security, integrity, confidentiality, or pri- 
vacy of any customer financial information that is itself personally 
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identifiable or that may be associated with personally identifiable 
information of a customer.” 

Of those data security breaches at financial institutions and/or 
other entities within the financial services industry which your de- 
partment or agency is aware occurred in 2013 or 2014, please indi- 
cate: 

Approximately how many financial services customers — whether 
individuals or organizations — ^you estimate were affected by each of 
those data security breaches. 

How many data security breaches resulted in individual cus- 
tomer notices mailed, emailed, or otherwise personally delivered to 
affected customers by the financial institution or other financial 
services entity? 

How many data security breaches resulted in some form of public 
notice by the financial institution or other financial services entity? 
(In response to this subquestion, please indicate for each data secu- 
rity breach if notice was made to major media outlets in the geo- 
graphic region served by the institution or entity, and/or if the no- 
tice resulted from media reports following a public regulatory fil- 
ing.) 

How many data security breaches have never resulted in any 
form of individual customer notices mailed, emailed, or otherwise 
personally delivered to affected customers by the financial institu- 
tion or other financial services entity? 

A.2. Private-sector entities are not required to report breaches to 
DHS; our interactions with them are voluntary. DHS notifies vic- 
tims of cyber incidents primarily through the NCCIC (U.S.-CERT, 
ICS-CERT, and National Coordinating Center) and the USSS, and 
this notification is executed in coordination with Eederal cyber cen- 
ters and with the FBI. Importantly, DHS is responsible for noti- 
fying not only the known targets of an attack, but also other orga- 
nizations and sectors that could be targeted in the future. These 
cross sector alerts and warnings are a key piece of DHS’s efforts 
to develop shared situational awareness and feed various protec- 
tion efforts. DHS, however, does not have the authority to instruct 
or require financial institutions to provide us with information re- 
garding their affected customers and their policies regarding cus- 
tomer notification of a breach. 

The NCCIC is proud of the partnerships it has established with 
the financial sector. In fact, there are several financial partners 
with presence in NCCIC operations center. The below list of 
NCCIC financial sector partners constitute entities that maintain 
physical and/or virtual representation on the NCCIC operations 
floor: 

• Department of the Treasury 

• Financial Sector-Information Sharing and Analysis Center 
(FS-ISAC) 

• Federal Deposit Insurance Corporation 

• United States Secret Service (USSS) 

• Federal Bureau of Investigation (FBI) 

• private-sector entities 
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Individuals from the private sector, through FS-ISAC represent- 
atives, cleared at the Top Secret/Sensitive Compartmented Infor- 
mation (TS/SCI) level, can and do access daily briefs and other 
NCCIC meetings to share information on threats, vulnerabilities, 
incidents and potential or known impacts to the sector. The FS- 
ISAC, formed to share specific threat and vulnerability assess- 
ments and effective incident response practices, reaches more than 
11,000 financial institutions throughout the country. FS-ISAC 
members include: banking firms and credit unions, securities firms, 
insurance companies, credit card companies, mortgage banking 
companies, financial services sector utilities, financial services serv- 
ice bureaus, sector-appropriate industry associations. 

Building the trust necessary to have these relationships with pri- 
vate sector and Federal partners is one of our most important 
goals. However, we have run into numerous examples whereby 
partners have chosen not to share information with us despite the 
possible protection that information could offer other partners. We 
have found that companies’ are often concerned that if knowledge 
of a cyber incident becomes public it will cause serious damage to 
their reputation. 

To alleviate these fears, the Department offers protection from 
disclosure of sensitive information under the Protected Critical In- 
frastructure Information (PCII) Act. The PCII program helps to en- 
sure the confidentiality of private-sector company information, al- 
lowing us to strengthen our trust and thereby our information 
sharing and response activities. 

Q.3. In responding to all questions below (in every category), please 
respond as if a “data security breach” is the “unauthorized access 
to, or acquisition from, a system operated or maintained by a finan- 
cial institution or other entity within the financial services indus- 
try, or an agent, affiliated organization or service provider to that 
financial institution or other financial services entity, that com- 
promises the protection, security, integrity, confidentiality, or pri- 
vacy of any customer financial information that is itself personally 
identifiable or that may be associated with personally identifiable 
information of a customer.” 

Of those data security breaches which you are aware occurred in 
2014, and for which no individual customer notice was given by the 
financial institution or other financial services entity, has your de- 
partment or agency investigated the circumstances of the breach 
and considered taking any action to require or encourage individual 
customer notice of the same by such institution or entity? 

A.3. The responsibility to regulate actions by financial sector enti- 
ties before, during or after a cyber breach is not within the purview 
of DHS responsibilities — as DHS is not a regulator of the financial 
sector. However, we are a coordination point for information shar- 
ing during and after a cyber breach; and the NCCIC works to miti- 
gate damages and provide technical assistance upon request. For 
instance, following attacks on the financial services sector in 2013 
and 2014, U.S.-CERT went on-site with major financial institu- 
tions and other critical infrastructure to provide technical assist- 
ance. U.S.-CERT’s technical data and assistance included identi- 
fying 600,000 Distributed Denial of Service-related IP addresses 
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and contextual information about the source of the attacks, the 
identity of the attacker, or associated details. We have had long- 
term, consistent threat engagements with the Department of 
Treasury, the FBI, and private-sector partners in the Financial 
Services Sector. 

DHS notifies victims of cyber incidents primarily through the 
NCCIC (U.S.-CERT, ICS-CERT, and NCC) and the USSS. This 
notification is executed in coordination with Eederal cyber centers 
and with the FBI. Importantly, DHS is responsible for notifying not 
only the known targets of an attack, but also other organizations 
and sectors that could be targeted in the future. These cross-sector 
alerts and warnings are a key piece of DHS’s efforts to develop 
shared situational awareness and feed various protection efforts. 
DHS, however, does not have the authority to instruct or require 
financial institutions to provide us with information regarding 
their affected customers and their policies regarding customer noti- 
fication of a breach. 

Q.4. In responding to all questions below (in every category), please 
respond as if a “data security breach” is the “unauthorized access 
to, or acquisition from, a system operated or maintained by a finan- 
cial institution or other entity within the financial services indus- 
try, or an agent, affiliated organization or service provider to that 
financial institution or other financial services entity, that com- 
promises the protection, security, integrity, confidentiality, or pri- 
vacy of any customer financial information that is itself personally 
identifiable or that may be associated with personally identifiable 
information of a customer.” 

Has your department or agency ever engaged in any enforcement 
action against a financial institution or other entity within the fi- 
nancial services industry for failure to individually notify affected 
customers of a data security breach suffered by that entity? 

Has your department or agency ever assessed any civil penalty 
or fine against a financial institution or other entity within the fi- 
nancial services industry for failure to individually notify affected 
customers of a data security breach suffered by that entity? 

If the answer to either question is yes, please specify the specific 
date of the department or agency action, the type of action taken, 
the entity which was subject to the action, and the amount of any 
penalty or fine that was assessed. If the answer to either question 
is no, please indicate the reason why your department or agency 
has not. 

A.4. The responsibility to regulate actions by financial sector enti- 
ties before, during or after a cyber breach is not within the purview 
of DHS responsibilities — as DHS is not a regulator of the financial 
sector. However, we are a coordination point for information shar- 
ing during and after a cyber breach; and the NCCIC works to miti- 
gate damages and provide technical assistance upon request. For 
instance, following attacks on the financial services sector in 2013 
and 2014, U.S.-CERT went on-site with major financial institu- 
tions and other critical infrastructure to provide technical assist- 
ance. U.S.-CERT’s technical data and assistance included identi- 
fying 600,000 Distributed Denial of Service-related IP addresses 
and contextual information about the source of the attacks, the 
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identity of the attacker, or associated details. We have had long- 
term, consistent threat engagements with the Department of 
Treasury, the FBI, and private-sector partners in the Financial 
Services Sector. 

DHS notifies victims of cyber incidents primarily through the 
NCCIC (U.S.-CERT, ICS-CERT, and NCC) and the USSS. This 
notification is executed in coordination with Federal cyber centers 
and with the FBI. Importantly, DHS is responsible for notifying not 
only the known targets of an attack, but also other organizations 
and sectors that could be targeted in the future. These cross-sector 
alerts and warnings are a key piece of DHS’s efforts to develop 
shared situational awareness and feed various protection efforts. 
DHS, however, does not have the authority to instruct or require 
financial institutions to provide us with information regarding 
their affected customers and their policies regarding customer noti- 
fication of a breach. 


RESPONSES TO WRITTEN QUESTIONS OF SENATOR CRAPO 
FROM VALERIE ABEND 

Q.l. Fast, efficient sharing of actionable cyberthreat information 
between law enforcement, the intelligence community, and industry 
is a vitally important component of protecting information systems. 
While we have seen significant progress over the past couple years 
in the timeliness and quality of information sharing, there is still 
room for improvement. Please describe, first, what steps are being 
taken at your agency or Department to improve the information- 
sharing process and more quickly disseminate actionable informa- 
tion to those who need it. 

First, What steps are being taken at your agency or Department 
to improve the information-sharing process and more quickly dis- 
seminate actionable information to those who need it? 

Second, what obstacles or constraints delay the dissemination of 
such information? 

A.l. Cyberthreats evolve rapidly, and banks and their critical serv- 
ice providers need to have in place appropriate methods for moni- 
toring, sharing, and responding to threat and vulnerability infor- 
mation to safeguard customer and other sensitive information and 
technology systems. For this reason, the OCC, along with the other 
Federal Financial Institutions Examination Council (FFIEC) mem- 
bers, issued the Cybersecurity Threat and Vulnerability Monitoring 
and Sharing Statement on November 3, 2014. The statement reiter- 
ated that banks are expected to monitor and maintain sufficient 
awareness of cybersecurity threat and vulnerability information so 
they can evaluate risk and respond accordingly. This statement 
also recommended that banks participate in the Financial Serv- 
ices — Information Sharing and Analysis Center (FS-ISAC) and le- 
verage other resources to obtain threat information on a timely 
basis. 

We recognize that obtaining timely, relevant, and actionable in- 
formation is critically important for financial institutions and the 
ability of the financial sector to prepare for, respond to, and miti- 
gate evolving threats. Constraints on the timely dissemination of 
threat information can vary depending upon the speed at which in- 
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stitutions share, process, and act upon the information. To address 
these obstacles, the private sector is working to develop more auto- 
mated processes for distribution of threat information. Further, a 
statutory safe harbor from liability for the sharing of information 
about cyberthreats among institutions and the Federal Government 
would encourage information sharing. 

Q.2. During some recent data breaches, hackers have been able to 
break into companies’ systems by exploiting vulnerabilities of ven- 
dors. Please discuss: 

First, what the financial regulators are doing to address cyberse- 
curity capabilities at third party service providers for financial in- 
stitutions, using their authorities under the Bank Service Company 
Act of 1962; 

Second, what regulators expect from financial institutions in 
their management of third party relationships; and 

Finally, whether, based on the FFIEC assessment conducted this 
past summer, small institutions are capable of meeting these ex- 
pectations. 

A.2. The OCC supervises third-party service providers under our 
Bank Service Company Act (BSCA) authority. The OCC, together 
with the other Federal bank regulatory agencies, developed a pro- 
gram to supervise, on an interagency basis, those third-party tech- 
nology service providers (TSPs) that are most critical to the bank- 
ing industry. Supervision of the largest TSPs is coordinated 
through the Information Technology (IT) Subcommittee of the 
FFIEC Task Force on Supervision. Other TSPs that are smaller in 
size or complexity are supervised on an interagency basis through 
the regional offices of the agencies. 

As provided in the BSCA, the services performed by a TSP for 
a depository institution are subject to regulation and examination 
to the same extent as if such services were performed by the depos- 
itory institution itself on its own premises. Accordingly, the Federal 
bank regulatory agencies examine the adequacy of TSPs’ cybersecu- 
rity programs, including their IT risk management, controls, and 
information security. Examinations are conducted using the same 
FFIEC information technology work programs that are applicable 
to depository institutions. A report of examination is then issued to 
the TSP, along with an URSIT i rating. The examination report is 
made available to depository institutions that use the examined 
services at the time of the examination. The supervision program 
standards used by the Federal bank regulatory agencies can be 
found in the FFIEC IT Examination Handbook Supervision of 
Technology Service Providers booklet. Each Federal bank regu- 
latory agency has issued guidance for financial institutions regard- 
ing the oversight of third-party service providers. For the OCC, this 
guidance is contained in OCC Bulletin 2013-29 Third-Party Rela- 
tionships: Risk Management Guidance. This guidance outlines risk 
management expectations for financial institutions’ selection, over- 
sight and ongoing monitoring of their third-party service providers. 
This guidance has been incorporated into the OCC’ s supervisory 
strategies used to examine national banks and Federal savings as- 
sociations. In addition to agency specific guidance, the FFIEC 
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members have jointly issued guidance on exam procedures to exam- 
iners that can be found in the FFIEC IT Examination Handbook 
Outsourcing Technology Services booklet. 

Based on the results from this past summer’s pilot of new exam 
procedures, we found that OCC-supervised community institutions 
involved in the assessment generally have processes to manage 
third-party relationships. We will continue to communicate the 
risks posed by third-party relationships and our expectations that 
financial institutions manage these risks. Where examiners deter- 
mine that an institution does not meet our expectations, they will 
require the institution to ensure any gaps are addressed. 


RESPONSES TO WRITTEN QUESTIONS OF 
SENATOR MENENDEZ FROM VALERIE ABEND 

Q.l. As you know. Federal financial regulators have supervisory 
authority with respect to the cybersecurity efforts of regulated fi- 
nancial institutions. For example, the Gramm-Leach-Bliley Act re- 
quires financial institutions to safeguard consumers’ personal infor- 
mation. But today’s financial system extends far beyond regulated 
financial institutions — in the consumer payments area alone, for 
example, it extends to payment networks, merchants, and third- 
party payment processors, to name a few. 

Aside from the Federal Trade Commission’s Section 5 authority 
to guard consumers against unfair, deceptive, or abusive practices, 
there seems to be a critical gap in the standards and attention that 
apply to parts of the system beyond financial institutions. In last 
year’s data breach at Target, for example, a third-party vendor’s 
credentials were used to infiltrate a retailer’s system, resulting in 
the theft of consumer financial information. 

How do you see the role of the FFIEC and its members in pro- 
tecting against cybersecurity risks to the financial system more 
broadly, beyond just regulated institutions? 

A.l. Weak cybersecurity has become an increasing risk to the safe- 
ty and soundness of financial institutions and the whole financial 
system. In recognition of this risk, the EEIEC created a Cybersecu- 
rity and Critical Infrastructure Working Group (CCIWG). The 
CCIWG serves as a dedicated forum to address policy relating to 
cybersecurity and critical infrastructure security and resilience of 
financial institutions and their technology service providers. In 
support of this role and its objectives, the CCIWG communicates 
with the intelligence community, law enforcement, and homeland 
security agencies regarding cybersecurity and critical infrastruc- 
ture issues on an ongoing basis. The CCIWG also serves as a forum 
for members to communicate, collaborate, and build on existing ef- 
forts to support and strengthen the activities of other interagency 
and private sector groups that promote financial services sector cy- 
bersecurity and critical infrastructure security and resilience. 

Q.2. What tools do Eederal financial regulators have to address 
risks to parts of the system outside of regulated institutions, such 
as payment networks, other than through supervision of regulated 
institutions’ relationships with third-party vendors? 
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A.2. The OCC regulates national banks, Federal savings associa- 
tions, and their third-party service providers. The OCC’s legal au- 
thority to supervise third party service providers is set forth in the 
BSCA. Under this authority, the OCC in conjunction with other 
FFIEC member agencies, supervises TSPs, including several pay- 
ment system processors. Supervision of the largest and most sys- 
temically important TSPs is centrally coordinated through the IT 
Subcommittee of the FFIEC Task Eorce on Supervision. 

Other third-party TSPs, smaller in size or complexity, are super- 
vised on an interagency basis through the regional offices of the 
agencies. 

As provided in the BSCA, the services performed by a TSP for 
a depository institution are subject to regulation and examination 
to the same extent as if such services were performed by the depos- 
itory institution itself. Accordingly, the Eederal bank regulatory 
agencies examine the adequacy of TSPs’ cybersecurity programs as 
part of their examinations of IT risk management, controls, and in- 
formation security. Examinations are conducted using the same 
EEIEC information technology work programs that are applicable 
to depository institutions. A report of examination is then issued to 
the TSP, along with an URSIT rating. The TSP’s examination re- 
port also is made available to insured financial institutions using 
the examined services at the time of the examination. The super- 
vision program standards used by agencies can be found in the 
EEIEC IT Examination Handbook Supervision of Technology Serv- 
ice Providers booklet. 

In addition, under the Dodd-Erank Act, the Einancial Stability 
Oversight Council (Council), of which the OCC is a member, has 
the ability to designate critical payment, clearing, settlement and 
other financial market utilities as systemically important. Des- 
ignated financial market utilities performing payment, clearing, or 
settlement activities are subject to heightened prudential standards 
and supervision by the Board of Governors of the Eederal Reserve 
System. 

Also, the OCC is a member of the Einancial and Banking Indus- 
try Infrastructure Council (EBIIC) and directly interacts with other 
financial sector regulatory agencies. The EBIIC coordinates efforts 
to improve the reliability and security of financial information in- 
frastructure. Through this interaction, the OCC can elevate any 
concerns it has with financial sector service providers that are su- 
pervised by other regulatory agencies. 

Q.3. Are there additional tools that would be helpful to have? 

A.3. It would be helpful if sectors such as telecommunications and 
public utilities, upon which banks depend, were subject to similar 
standards and oversight. 

Q.4. Like Eederal regulators. State financial regulators are also in- 
corporating cybersecurity considerations into their examination and 
supervision of regulated institutions. On December 10, for example, 
the New York Department of Einancial Services (NYDES) an- 
nounced new examination procedures relating to information tech- 
nology (IT), including a focus on cybersecurity as part of an institu- 
tion’s risk-management strategy. 
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While there appears to be some overlap with Federal financial 
regulators’ requirements, there also seem to be some notable dif- 
ferences, such as in the information requested and whether the 
level of scrutiny varies based on factors like the size of the institu- 
tion. One press report in the American Banker describes NYDFS’s 
requirements as “tougher than the FFIEC’s.” 

How would you compare the FFIEC’s cybersecurity approach and 
examination procedures to State efforts such as NYDFS’s? 

A.4. The OCC by itself, and in conjunction with other members of 
the FFIEC, has developed a comprehensive IT supervision program 
that includes supervisory guidance and examination procedures re- 
lating to cybersecurity. This approach has been in place for several 
years and the NYDFS’ recently announced examination procedures 
appear similar. 

The FFIEC IT Examination Handbook includes 11 individual 
booklets covering examination areas such as IT Management, IT 
Audit, Information Security, Development and Acquisition, Oper- 
ations and other key technology control functions. Each of these 
booklets, and the Information Security booklet in particular, ad- 
dresses cybersecurity controls. 

The FFIEC also has issued a number of guidance statements cov- 
ering cybersecurity-related risks including: 

• Authentication in an Internet Banking Environment Guidance 
and the related supplement. 

• Cyber Attacks on Financial Institutions’ ATM and Card Au- 
thorization Systems Joint Statement. 

• Distributed Denial of Service Attacks, Risk Mitigation, and Ad- 
ditional Resources Joint Statement. 

• Threat and Vulnerability Monitoring and Information Sharing 
Statement. 

In addition to guidance issued jointly through the FFIEC, exam- 
ples of guidance issued specifically by the OCC include: 

• OCC Bulletin 2008-16 Information Security: Application Secu- 
rity. 

• OCC Bulletin 2013-29 Third-Party Relationships: Risk Man- 
agement Guidance. 

Since cybersecurity threats and attacks evolve, the OCC and 
FFIEC have mechanisms in place to continually reevaluate and 
strengthen overall information technology supervision processes. 
We compare and leverage information from recognized govern- 
mental, regulatory, and industry frameworks and standards when 
developing our examination programs to ensure the scope of our ex- 
aminations adequately cover evolving risks. 

Recognizing the need to continue to strengthen supervision of cy- 
bersecurity processes at financial institutions, FFIEC members pi- 
loted a cybersecurity examination work program (Cybersecurity As- 
sessment) at over 500 community financial institutions to evaluate 
their preparedness to mitigate cyber risks. The FFIEC members 
are using the results of this Cybersecurity Assessment to identify 
and prioritize actions to enhance the effectiveness of cybersecurity- 
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related supervisory programs, guidance, notification expectations, 
and examiner training. 

Q.5. What operational areas does the FFIEC consider most impor- 
tant for cybersecurity? How does this compare to State approaches, 
such as NYDFS’s? 

A.5. The OCC assesses the key operational areas needing examina- 
tion coverage based on the inherent risk of each institution super- 
vised. A financial institution’s inherent risk is based on the prod- 
ucts and services it offers, its processing volumes, customer base, 
technologies used, third-party connectivity, and a number of other 
factors. 

While the risks and corresponding control expectations will differ 
based on the inherent risks of the institution, key areas of our 
focus include: 

• Risk Management and Oversight; 

• Threat Intelligence and Collaboration; 

• Cybersecurity Controls; 

• External Dependency Management; and 

• Cyber Incident Management and Resiliency. 

These areas of focus are similar to those of the NYDES. 

Q.6. Because of the fast-evolving nature of the cybersecurity field, 
to what extent does the EEIEC look to State efforts for possible 
models or elements to incorporate into Eederal approaches? 

A.6. The OCC and other EEIEC members, which include State 
bank regulators, have been considering many statutory, regulatory 
and industry-recognized frameworks, such as the Eederal Informa- 
tion Security Modernization Act requirements. National Institute of 
Standards and Technology publications and framework. Control 
Objectives for Information and Related Technology framework. 
International Organization for Standardization standards. Capa- 
bility Maturity Models, and others when developing supervisory 
policies and examination programs. 

The OCC also monitors State laws for possible elements to incor- 
porate in its guidance and examination approaches, if appropriate. 
Eor example, when promulgating its customer information guid- 
ance in 2005, the OCC reviewed and was guided by the California 
breach notification law. 

Q.7. Are there elements of NYDES’s model that EEIEC is consid- 
ering incorporating? Eor example, is the EEIEC considering ex- 
panding the information it requests to include any items covered 
by NYDES’s new policy? 

A.7. Information outlined in the NYDES letter, dated December 10, 
2014, on its New Cyber Security Examination Process generally is 
already requested as part of ongoing examinations at the financial 
institutions we supervise. The OCC has requested such information 
from institutions for quite some time and tailors its requests for in- 
formation based on the risk and complexity of products and oper- 
ations of the individual institution being examined. Examples of 
the type of information requested can be found in the EEIEC IT 
Examination Handbook. 
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Q.8. To what extent are Federal financial regulators engaging with 
State regulators more generally relating to cybersecurity examina- 
tions and supervision, to help inform State regulators as well as to 
be informed by their experiences? 

A.8. State banking regulators are represented on the FFIEC. The 
Chair of the State Liaison Committee (SLC) is a voting member of 
the FFIEC and the SLC is comprised of representatives from the 
Conference of State Banking Supervisors, the American Council of 
State Savings Supervisors, and the National Association of State 
Credit Union Supervisors. 

The State Liaison Committee is also represented on the FEIEC 
Task Force on Supervision’s IT Subcommittee and the CCIWG. 
These groups are responsible for developing and implementing the 
FFIEC IT guidance statements, work programs, and the cybersecu- 
rity pilot outlined throughout this response. These groups also pro- 
vide a forum for Federal and State regulators to share experiences 
regarding cybersecurity examinations and supervision. 


RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARNER 
FROM VALERIE ABEND 

Q.l. In responding to all questions below (in every category), please 
respond as if a “data security breach” is the “unauthorized access 
to, or acquisition from, a system operated or maintained by a finan- 
cial institution or other entity within the financial services indus- 
try, or an agent, affiliated organization or service provider to that 
financial institution or other financial services entity, that com- 
promises the protection, security, integrity, confidentiality, or pri- 
vacy of any customer financial information that is itself personally 
identifiable or that may be associated with personally identifiable 
information of a customer.” 

How many data security breaches of systems operated or main- 
tained by a financial institution or other entity within the financial 
services industry — whether such breach has been publicly reported 
or not — is your Government department or agency aware occurred 
during 2013 or 2014? In responding to this question, please note 
the following request for an explanation: 

If your response to the forgoing question is that you do not have 
knowledge of any such data security breaches whatsoever, please 
indicate why your department or agency is not aware of any 
breaches given the public reports of multiple breaches within the 
industry in 2013 or 2014. 

Additionally, if your department or agency has knowledge of such 
data security breaches that includes nonpublic information, and 
your answer will indicate that your are subject to a confidentiality 
obligation that prohibits your answering this question completely, 
please indicate which specific Federal law or other rule prohibits 
you from testifying to the Committee about this information on 
data security breaches of which your department or agency has 
knowledge. 

A.l. All national banks and Federal savings associations are ex- 
pected to report to the OCC “as soon as possible when the institu- 
tion becomes aware of an incident involving unauthorized access to 
or use of ‘sensitive customer information,’” as defined in 12 CFR 
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Part 30 Appendix B, Supplement A (national banks), and Part 170, 
Appendix B, Supplement A (Federal savings associations) (referred 
to in the answers that follow as “The Response Program Guidance” 
or the “Guidance”). The OCC issued the Guidance together with 
the Board of Governors of the Federal Reserve System (State mem- 
ber banks), the Federal Deposit Insurance Corporation (State non- 
member banks) and the National Credit Union Administration 
(credit unions). 

During 2013 and 2014, there were approximately 20 reported se- 
curity breaches of systems at financial institutions supervised by 
the OCC that fell within the scope of the Response Program Guid- 
ance. 

Q.2. Of those data security breaches at financial institutions and/ 
or other entities within the financial services industry which your 
department or agency is aware occurred in 2013 or 2014, please in- 
dicate: 

Approximately how many financial services customers — whether 
individuals or organizations — ^you estimate were affected by each of 
those data security breaches. 

A.2. The number of customers impacted by any one of the events 
about which the OCC was notified range from less than 10 cus- 
tomers to over 83 million customers. 

While a single event can potentially affect millions of customers, 
most events have had an impact on fewer than one thousand cus- 
tomers, with many of the individual events affecting a small num- 
ber of customers. 

Q.3. How many data security breaches resulted in individual cus- 
tomer notices mailed, emailed or otherwise personally delivered to 
affected customers by the financial institution or other financial 
services entity? 

A.3. The Response Program Guidance states that a financial insti- 
tution should notify a customer of unauthorized access to sensitive 
customer information if it determines that the misuse of such infor- 
mation has occurred or is reasonably possible. OCC examiners, as 
a part of their ongoing supervisory activities, determine whether a 
financial institution that experiences a breach of sensitive customer 
information has notified customers in accordance with the Guid- 
ance. OCC examiners also determine whether the institution has 
policies and procedures to ensure that it is complying with any rel- 
evant State laws. 

Of the incidents listed in response to Question 1 above, all but 
three resulted in direct notification to the affected customers. In 
two instances, it was determined that while malware affected the 
bank’s system, no sensitive customer information was viewed or re- 
moved from the bank’s system and thus misuse of sensitive cus- 
tomer information did not occur and was not reasonably possible, 
within the meaning of the Response Program Guidance. In the 
third instance, the type of information accessed did not meet the 
definition of sensitive customer information contained in the Re- 
sponse Program Guidance. Therefore, in these cases, notification 
was not required. In the third instance, the institution did, how- 
ever, issue a public press release and posted notice on its public 
Web site. 
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Q.4. How many data security breaches resulted in some form of 
public notice by the financial institution or other financial services 
entity? (In response to this subquestion, please indicate for each 
data security breach if notice was made to major media outlets in 
the geographic region served by the institution or entity, and/or if 
the notice resulted from media reports following a public regulatory 
filing.) 

A.4. The Response Program Guidance does not require public noti- 
fication to media outlets. The OCC has observed that financial in- 
stitutions typically issue a press release or public statement for 
large-scale breach events. 

Q.5. How many data security breaches have never resulted in any 
form of individual customer notices mailed, emailed, or otherwise 
personally delivered to affected customers by the financial institu- 
tion or other financial services entity? 

A.5. Of the incidents noted above, there is only one data security 
breach where an institution did not notify affected customers. As 
described above, it was determined that the customer information 
accessed or removed from the institution’s system did not meet the 
definition of sensitive customer information described in the Re- 
sponse Program Guidance. The institution did, however, issue a 
public press release and posted notice on its public Web site about 
the breach event. 

Q.6. Of those data security breaches which you are aware occurred 
in 2014, and for which no individual customer notice was given by 
the financial institution or other financial services entity, has your 
department or agency investigated the circumstances of the breach 
and considered taking any action to require or encourage individual 
customer notice of the same by such institution or entity? 

A.6. When the OCC is notified that a breach of sensitive customer 
information has occurred, as defined by the Response Program 
Guidance, and the institution determines that the information has 
been or reasonably likely to be misused, a financial institution is 
expected to provide notice to affected customers. The OCC reviews 
the facts upon which the institution’s determination is based to en- 
sure that customers are notified when warranted. 

Q.7. Has your department or agency ever engaged in any enforce- 
ment action against a financial institution or other entity within 
the financial services industry for failure to individually notify af- 
fected customers of a data security breach suffered by that entity? 

Has your department or agency ever assessed any civil penalty 
or fine against a financial institution or other entity within the fi- 
nancial services industry for failure to individually notify affected 
customers of a data security breach suffered by that entity? 

If the answer to either question is yes, please specify the specific 
date of the department or agency action, the type of action taken, 
the entity which was subject to the action, and the amount of any 
penalty or fine that was assessed. If the answer to either question 
is no, please indicate the reason why your department or agency 
has not. 

A.7. The OCC has not brought an enforcement action against a fi- 
nancial institution or other entity within the financial services in- 
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dustry for failure to individually notify affected customers of a 
“data security breach” suffered by that entity, as defined in Ques- 
tion 1. However, between 2009 and 2013, the OCC took formal en- 
forcement actions against 60 national banks for failing to have ade- 
quate information security programs and required them to enhance 
their information technology systems and/or third-party manage- 
ment processes. 

National banks and Federal savings associations are expected to 
provide notice to customers in accordance with the Response Pro- 
gram Guidance and any applicable State law. The OCC has not ob- 
served failures to provide this notice and therefore has not taken 
any enforcement action requiring a financial institution to do so. 
Q.8. Based in part to the OCC’s responses to the questions above, 
in addition to other information it deems relevant, please give the 
Committee your complete and thorough assessment of the following 
questions regarding the interpretive guidance issued by the OCC, 
Federal Reserve Board, FDIC, and OTS on March 29, 2005, to 
every financial institution regarding their implementation of a re- 
sponse program designed to address incidents of unauthorized ac- 
cess to sensitive customer information maintained by the financial 
institution or its service provider: 

Has the OCC conducted an annual or other periodic review of the 
interpretive guidance since its issuance in 2005 and, if so, what are 
the OCC’s conclusions from those reviews with respect to the cur- 
rent applicability and sufficiency of the interpretive guidance to to- 
day’s data security breaches? 

A.8. The OCC conducts periodic reviews of our Response Program 
Guidance, and has done so most recently as part of a Cybersecurity 
Risk Assessment of over 500 financial institutions that was con- 
ducted under the auspices of the FFIEC in which the OCC partici- 
pated. We currently are reviewing the results of the Assessment to- 
gether with other sources of information, to determine whether the 
Guidance should be changed and, if so, how best to make these 
changes. 

Q.9. In light of the 47 State laws regarding breach notification that 
have been enacted to date, has the OCC reviewed the cir- 
cumstances under which financial institutions may be subject to 
such laws, and has it considered updating the 2005 interpretive 
guidance to bring it in line with current requirements for all busi- 
nesses subject to such State laws to individually notify affected cus- 
tomers when that business suffers a breach (as defined under each 
law)? 

A.9. Financial institutions are subject to State breach notification 
laws that provide greater protections than the Response Program 
Guidance. See Section 507 of the Gramm-Leach-Bliley Act (GLBA), 
12 U.S.C. §6807. While drafting the Response Program Guidance 
in 2005, the OCC reviewed and was guided by existing State laws, 
in particular California’s breach notification law. The OCC also re- 
views State breach notification laws from time-to-time for new de- 
velopments. Many of the current State laws are similar to the Re- 
sponse Program Guidance. 

Q.IO. In the opinion of the OCC, does the 2005 interpretive guid- 
ance legally “require” financial institutions, or other entities within 
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the financial services industry, to provide individualized notices via 
mail, email, or other personal deliver service to all potentially af- 
fected customers when a system operated or maintained by a finan- 
cial institution or other financial services entity, or an agent, affili- 
ated organization or service provider to that financial institution or 
other financial services entity, suffers a data security breach? If 
your response to this question is “yes,” please explain the legal rea- 
soning that supports your conclusion that the interpretive guidance 
“requires” financial institutions to notify customers in light of the 
text of the guidance indicating financial institutions “should” con- 
tain procedures to notify customers when warranted, and does not 
explicitly State that financial institutions “shall” notify affected 
customers (similar to the express obligation in Sate data breach no- 
tification laws). 

A.10. As noted above, national banks and Federal savings associa- 
tions are subject to State law breach notice requirements. The Re- 
sponse Program Guidance interprets section 501(b) of the GLBA 
and the Interagency Guidelines Establishing Information Security 
Standards. See 12 CFR Part 30, Appendix B (national banks) and 
Part 170, Appendix B (Federal savings associations). The Guide- 
lines, which are enforceable by their terms, require banks to have 
a response program that specifies actions to be taken when the 
bank suspects or detects that unauthorized individuals have gained 
access to customer information systems, including appropriate re- 
ports to regulatory and law enforcement agencies. The Guidance 
elaborates on this requirement to state that the OCC expects a fi- 
nancial institution’s response program to include procedures for no- 
tifying customers when there has been unauthorized access to their 
sensitive information and misuse of the information has occurred 
or is reasonably possible. 

Q.ll. If your response to the subquestion above indicates that indi- 
vidual customer notice is legally “required” for a data security 
breach, please indicate whether the OCC has ever enforced such a 
“requirement” against any financial institution or other financial 
services entity, or any agent, affiliated organization, or service pro- 
vider to that financial institution or other financial services entity. 
If the OCC has not enforced such a legal “requirement” to notify 
in all cases of which it is aware of a data security breach that has 
not resulted in such notice, please explain why it has not enforced 
this requirement in each case. 

A.11. Please see the response to Questions 7 and 8. 

Q.12. If your response to the subquestion above indicates that indi- 
vidual customer notice is legally “required” for a data security 
breach, please indicate if the OCC has ever assessed any civil pen- 
alty or fine against any financial institution or other financial serv- 
ices entity, or any agent, affiliated organization, or service provider 
to that financial institution or other financial services entity, for 
failure to individually notify affected customers of a data security 
breach suffered by that entity. 

A.12. Please see the response to Questions 7 and 8. 
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RESPONSES TO WRITTEN QUESTIONS OF SENATOR CRAPO 
FROM WILLIAM NOONAN 

Q.l. Fast, efficient sharing of actionable cyberthreat information 
between law enforcement, the intelligence community, and industry 
is a vitally important component of protecting information systems. 
While we have seen significant progress over the past couple years 
in the timeliness and quality of information sharing, there is still 
room for improvement. Please describe: 

First, What steps are being taken at your agency or Department 
to improve the information-sharing process and more quickly dis- 
seminate actionable information to those who need it? 

A.I. The U.S. Secret Service (Secret Service) continues to be com- 
mitted to quickly disseminating actionable information to those 
who need it, and continues to take steps to further improve our 
ability to notify victims of computer intrusions and widely share in- 
formation to aid organizations in protecting their computer net- 
works from the latest cybercriminal methods. In FY2014, the Se- 
cret Service notified or responded to network intrusion incidents at 
nearly 400 organizations. 

As the Secret Service investigates cybercriminal activity, we fre- 
quently discover new criminal techniques or methods that can in- 
form computer network defense activities. As the Secret Service 
discovers such information, we partner with the National Cyberse- 
curity and Communications Integration Center (NCCIC), and other 
public and private entities, to rapidly and widely disseminate ac- 
tionable cybersecurity information, while protecting victim privacy 
and ongoing investigations. 

For example, this past summer, UPS Stores, Inc. announced it 
had been able to use information published in a joint report on the 
Back-Off malware to protect itself and its customers from 
cybercriminal activity. The information in this report was derived 
from a Secret Service investigation of a network intrusion at a 
small retailer in upstate New York. As a result, UPS Stores, Inc. 
was able to identify 51 stores in 24 States that had been impacted, 
approximately 1 percent of their total stores, and then contain and 
mitigate this cyber incident before it developed into a major data 
breach. 

The Secret Service continues to expand its network of Electronic 
Crimes Task Forces (ECTFs) and build relationships with public 
and private-sector partners in order to further improve our ability 
to share actionable cybersecurity information in a timely manner. 

Q.2. Second, what obstacles or constraints delay the dissemination 
of such information? 

A.2. The primary constraint in disseminating cybersecurity infor- 
mation is sufficient personnel to analyze the cyberthreat informa- 
tion collected through Secret Service investigations, in order to ex- 
tract the relevant actionable cybersecurity information to enable 
computer network defense activities, while protecting victim pri- 
vacy and ongoing investigations. 
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RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARNER 
FROM WILLIAM NOONAN 

Q.l. In responding to all questions below (in every category), please 
respond as if a “data security breach” is the “unauthorized access 
to, or acquisition from, a system operated or maintained by a finan- 
cial institution or other entity within the financial services indus- 
try, or an agent, affiliated organization or service provider to that 
financial institution or other financial services entity, that com- 
promises the protection, security, integrity, confidentiality, or pri- 
vacy of any customer financial information that is itself personally 
identifiable or that may be associated with personally identifiable 
information of a customer.” 

How many data security breaches of systems operated or main- 
tained by a financial institution or other entity within the financial 
services industry — whether such breach has been publicly reported 
or not — is your Government department or agency aware occurred 
during 2013 or 2014? In responding to this question, please note 
the following request for an explanation: 

If your response to the forgoing question is that you do not have 
knowledge of any such data security breaches whatsoever, please 
indicate why your department or agency is not aware of any 
breaches given the public reports of multiple breaches within the 
industry in 2013 or 2014. 

Additionally, if your department or agency has knowledge of such 
data security breaches that includes nonpublic information, and 
your answer will indicate that your are subject to a confidentiality 
obligation that prohibits your answering this question completely, 
please indicate which specific Federal law or other rule prohibits 
you from testifying to the Committee about this information on 
data security breaches of which your department or agency has 
knowledge. 

A.l. The Secret Service has identified 52 case files involving con- 
firmed data breaches of financial services entities in 2013 or 2014. 

Q.2. Of those data security breaches at financial institutions and/ 
or other entities within the financial services industry which your 
department or agency is aware occurred in 2013 or 2014, please in- 
dicate: 

Approximately how many financial services customers — whether 
individuals or organizations — ^you estimate were affected by each of 
those data security breaches. 

A.2. The Secret Service does not generally keep records of the num- 
ber of customers affected, and instead focuses on the total fraud 
losses or other measures of economic impact. A review of the 52 
case files indicates that the cases vary from potentially a single 
customer impacted to millions of customers impacted. Recorded 
fraud losses range from $2,000 to in excess of $8 million. 

Q.3. How many data security breaches resulted in individual cus- 
tomer notices mailed, emailed, or otherwise personally delivered to 
affected customers by the financial institution or other financial 
services entity? 

A.3. The Secret Service generally keeps no records on whether cus- 
tomer notifications are performed as a result of a data security 
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breach. The Secret Service is focused on investigating and appre- 
hending the criminals responsible for data breaches. 

Q.4. How many data security breaches resulted in some form of 
public notice by the financial institution or other financial services 
entity? (In response to this subquestion, please indicate for each 
data security breach if notice was made to major media outlets in 
the geographic region served by the institution or entity, and/or if 
the notice resulted from media reports following a public regulatory 
filing.) 

A.4. The Secret Service does not generally keep records on whether 
the victim organization made any form of public notice. 

Q.5. How many data security breaches have never resulted in any 
form of individual customer notices mailed, emailed, or otherwise 
personally delivered to affected customers by the financial institu- 
tion or other financial services entity? 

A.5. The Secret Service does not generally keep records on whether 
the victim organization made any form of notice to their customers. 
Q.6. Of those data security breaches which you are aware occurred 
in 2014, and for which no individual customer notice was given by 
the financial institution or other financial services entity, has your 
department or agency investigated the circumstances of the breach 
and considered taking any action to require or encourage individual 
customer notice of the same by such institution or entity? 

A.6. The Secret Service is focused on working collaboratively with 
victim companies to investigate the criminals responsible for data 
breaches and minimize fraud losses. The Secret Service does not 
have authority to require victim companies to make customer no- 
tice, and generally only encourages companies to take actions as 
they further our investigative aims of countering the cybercriminal 
activity. 

Q.7. Has your department or agency ever engaged in any enforce- 
ment action against a financial institution or other entity within 
the financial services industry for failure to individually notify af- 
fected customers of a data security breach suffered by that entity? 
If yes, please specify the specific date of the department or agency 
action, the type of action taken, the entity which was subject to the 
action, and the amount of any penalty or fine that was assessed. 
If no, please indicate the reason why your department or agency 
has not. 

A.7. The Secret Service has not engaged in any enforcement action 
against a financial institution or other entity within the financial 
services industry for failure to individually notify affected cus- 
tomers of a data security breach suffered by that entity. The Secret 
Service does not have any authority to engage in any such enforce- 
ment action. 

Q.8. Has your department or agency ever assessed any civil pen- 
alty or fine against a financial institution or other entity within the 
financial services industry for failure to individually notify affected 
customers of a data security breach suffered by that entity? If yes, 
please specify the specific date of the department or agency action, 
the type of action taken, the entity which was subject to the action. 
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and the amount of any penalty or fine that was assessed. If no, 
please indicate the reason why your department or agency has not. 
A.8. The Secret Service has never assessed any civil penalty or fine 
against a financial institution or other entity within the financial 
services industry for failure to individually notify affected cus- 
tomers of a data security breach suffered by that entity. The Secret 
Service does not have any authority to assess civil penalties or 
fines for such matters. 
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Additional Material Supplied for the Record 

LETTER TO AGENCIES SUBMITTED BY CHAIRMAN JOHNSON AND 

SENATOR CRAPO 


United States ^'cnatr 

v, .. • 

a'lober 212014 


The Honombic Jacob Lc\^ 

Secretary 

U.S. DeparliiKnl of llie Treasury 
ISOO Hennsylvinia Avenue. NW 
Washington. DC 20220 

The Honorable Martin Gruenberg 
Chairman 

Federal Deposit Insumnce Coipontion 
550 IT* Street. NW 
Washington. DC 20429 

The Horwrable Debbie Maiz 
Chair 

National Credit Union Adminisiration 
1775 Duke Street 
Alexandria, VA 22314 


The Hononble Jartet Yelkn 
Chair 

Board of Governors of die Federal Reserve System 
20* Street and Constitution Avenue. NW 
W'aslnngton.DC2055l 

The Honorable Thomas Curry 
Comptroller 

Offtce of the Comptroller of the Currettcy 
400 7* Street. SW 
Wa.shmglon. DC 20219 


Dear Secretary l.ew. Chair Yelicn. Comptroller Cuny, Oiairman Gruenberg. and Ctuur Matz; 

Over the past decade, cybcrsecurity has become a foremost national priority for both the govemmeni and (he private 
sector. Our networks and information systems ait unda attack from a wide range of actors, including sophisticated 
criminal organizations, nation-states, and ‘‘hacktivisls,” w ho commit cyheraltacks for a variety of reasons. Cyberattacb 
come in many different fonns, including distributed denial service attacks against websites. point«of*saJe anacks against 
merchants, malware attacks to inllliraie secure sygems, phishing scams, and many more. 

As Chairman and Ranking Member of the U.S. Senate Committee on Banking. Housing, and Urban Affairs, we are 
particularly concerned with (he safcQ' and integrity of the U.S. financial .s)-.stem. especially as it pertains to Americans' 
personal financial information. The economic impact of cvberattacks is staggering. A recent Center for Strategic and 
International Studies report projected global economic tosses of up to $575 million annually in the Ui alone. An earlier 
report cited by President Obama estimated losses of SI trillion just from intellectual property theft by cyberaUacks over 
the previous year. Financial institutions are a particularly lucralivt target. Many find themselves under constant attack, 
with some spending up tn $250 million per year on cybersecurity. 

According to Larry Zelvin. Director of die Naiioiial Cytersccurity' and Communications Integration Center at the 
Department of Homeland Securi^ (DHS), of the si.\teen critical infrastructure sectors, "finance probably wins the 
cybersccurity threat award. . . . [The industty is] a massive target . . because [it is| where the money is." The Office of 
the Comproller of the Currency recently noted in its Semi-Annual Risk Perspective for U.S banks that [cyberattacks and 
breachc-s] are a leading operational risk and that "recurring security breaches at retail merchants highlight the 
interdependencies m today's payment systems... (here is concern (hat criminals will transition f^ disrupive attacks to 
anacks that arc intended to cause destruction and corrupion " 
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Chair Mal7 
October 21, 20 M 
Page 2 of 2 

Over the pasi )«ar, we have seen a notable increase in the frequency and scope of data breaches at U.S. companies, which 
often involve the theft of customers' financial and other personal information. According to a recent study conducted by 
the Ponemon Institute, 43 perceul of companies experienced a breach in the last year, up from 33 percent the prior year, 
and 60 percent reported a breach in the last two years. These numbers likely underestimate the magnitude of the current 
threat, as many breaches occur undetected. In the words of former FBI Director Robert Mueller, ITterc are only two 
types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that 
have been hacked and will be again * Eariicf this month. JPMorgan Chase, the nation's largest bank by assets, announced 
tlrat personal information from 76 million households and 7 million small businesses had been compromised, one of the 
largest corporate breaches in history. Additional reports indkaie that at least a dozen financial companies were targeted 
by the same hacker group. Ensuring that customer information is secure is essential to the integrity of the finartcial 
system. Furthermore, as new forms of payment become increasingly popular, strong data security will take on even 
greater importance. 

While we recognize that federal agencies have heightened their attention to cybersecurity issues, we ate writing to seek 
more information on the role your agency or Department is playing to protect our financial system fiom cyberaltacks. 
Plea.se also respond to the following questions to lire extent they ate applicable to your agency or Depetlmenl 

First, what is your agency's or Department's process for acquiring information on potential or occurring cyberattacks and 
passing information to the financial services sector in a timely manner? What obstacles and/or legal restrictions hinder 
information sharing? SpeciFrcally, as the financial services sector’s Sector-Specific Agency, Treasury has a number of 
responsibilities described in Presidential Policy Directive 21 and Executive Order 13636. What actions isTreasuty taking 
to fulfill those responsibilities? 

Second, please describe what coordination and interaction each of your agencies and Department have with each other, as 
well as law enforcement. DHS. and the intelligence community. How would legislative proposals improve or impede 
your coordination and relationships with other government agencies? 

Third, Iasi year, the Financial Stability Oversight Council (FSOC) recommended that regulators devote additional 
supervisory attention toward cybersecurity. What is the FSOC’s role in monitoring cyb^ntity risks? 

Finally, earlier this year the Federal Financial Institutions Examination Council announced that it Is planning 
cybenecurity and nsk-mitigation assessments to help smaller instilutions address cybersecurrty gaps. Please describe this 
effott and what paiticular conskferations or risks may exist at institutions of vaiying sizes. 

It is vital that govemmeni agencies and private institutions remain vigilant and coordinated in ensuring the safely and 
security of our networks, especially as it applies lo the valuable pctsonal and financial Infotmalion of American 
consumers 

Thank you for your attemion to this matter. 


Sincerely. 
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LETTER OF RESPONSE SUBMITTED BY JOINT AGENCIES 



December 9, 2014 


The Honorable Timothy P. Johnson 
Chairman 

Committee on Banking, Housing, and Urban Affairs 
United Slates Senate 
Washington, DC 20510 

Dear Chairman Jolinson: 

Thank you for your letter dated October 2 1 , 20 1 4, regarding the role of our agencies in 
protecting the United Slates financial system from cyber threats. 

We agree with you that cybctsecurity is a foremost national priority. Responding to tlie cyber 
threat demands a commensumte level of allcnlion and one that can be best achieved by 
recognizing the distiiKt roles, responsibilities, and authorities of organizations. This includes 
collaboration between cabinet agencies such as Treasury, independent state and federal 
regulatory agencies, law enforcement, die intelligence community, and, importantly, the private 
sector companies, which own and operate the vast majority of our nation's financial sector 
infrasiniclurc. 

The financial sector, federal and .stale regulators, and the Treasury coordinate through the 
Financial and Banking Information Infrastructure Committee (FBIIC) to address critical 
infrastructure concerns including cyber threats and vulnerabilities. Earlier this year, we 
instituted regular meetings of the lop officials from each FBIIC member to focus on strategic, 
policy-level issues around cybersecurity and related coordination. This collaboration is 
contributing to shared threat briefings, the dcvclopmcnl of more dynamic infonnalion sharing 
processes, and exercises to test incident response protocols, 

Additionally, the federal banking and credit union agencies coordinate and sliarc information 
through lire Federal Financial Institutions Examination Council (FFIEC). Over the post year, 
Ihrouglt the creation of the Cybersecurity and Critical Infrastiucture Working Group (CCIWG), 
the FFIEC members have undertaken a number of slcjis to assess the level of preparedness 
among financial institutions and raise awareness to help institutions to improve their 
cybersecurity preparedness. 


82 


We look forward lo conlinuing to engage witli you on this issue in the future. The nature of the 
cyber threat will continue to require our vigilance and dedication. We are providing yoti with 
this joint re.sponse to reinforce our belief in the importance of both this issue and the close 
coordination required to address it. You should expect to receive individual letters from each of 
our agencies that reflect our unique roles and authorities. 


Sincerely, 





Secretary 

Department of the Treasury 


Chair 


Debbie Malz ^ / 

Chair 

National Credit Union Adminisiralioit 


Identical letter sent to: 

The Honorable Michael D. Crapo 
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LETTER OF RESPONSE SUBMITTED BY THE DEPARTMENT OF THE 

TREASURY 



DEPARTMENT OF THE TREASURY 
WASHINGTON. O.C, 


December 9, 2014 


The Honorable Timothy P, Johnson 
Chairman 

Committee on Banking, I lousing, and Urban Affairs 
United States Senate 
Washington, DC 20510 

Dear Chairman Johnson: 

Thank you for your letter regarding federal government efforts to protect the U.S. financial 
system from cybersecurity threats. In addition to our joint letter with the federal banking and 
credit union regulators reaffirming our commitment to and extensive collaboration on 
cybersecurity matters, the Secretary asked that I write to you separately to provide you more 
detail on Treasury’s role and effoils. 

Treasury serves as the day-to-day federal interface and coordinating agency for the financial 
services sector under Presidential Policy Directive 21 (PPD-21). PPD-21 establishes a unified 
approach to strengthen and maintain secure, functioning, and resilient critical infrastructure 
against cyber and physical threats in 16 critical sectors. In order to fulfill its responsibilities 
under PPD-21 and the related executive order (EO 13636), Treasury: 

• Coordinates with the White I louse, the Department of Homeland Security (DHS), law 
enforcement and the intelligence community, as well as independent financial 
regulators— activities designed to strengthen the resilience of the financial sector; 

• Interfaces between financial institutions and government agencies to, among other things, 
facilitate Requests for Technical Assistance and prioritize government resources to help 
respond to incidents; 

• Facilitates the sharing of timely, actionable information regarding cyber threats and 
incidents with a view toward limiting damage from intrusions and stopping contagion 
across systems, networks, and institiuions; 

• Assists in effective, prompt response and recovery from cyber incidents to reassure the 
public and protect public and private assets; 

• Promotes best practices, including the NIST Cybcrsccurity Framework, that help 
operators of financial systems prevent attacks from succeeding and minimize the damage 
from any successful attacks; and 

• Contributes to governmental reports, including the development of an Incentives Report 
and Financial Services Sector Specific Plan. 
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Treasury coordinates with federal and state regulators through the Financial and Banking 
Information Infrastructure Committee (FBIIC) to address critical infrastructure concerns, 
including cyber threats and vulnerabilities. The eighteen members of FBIIC engage on issues 
such as streamlining and improving information sharing; identifying best practices across the 
sector (including for small and medium si/c financial institutions); and enhancing the 
coordination of incident responses. Recently, Treasury Secretary Lew and Deputy Secretary 
Bloom Raskin began to regularly convene top officials from the FBIIC member agencies and 
organizations. These meetings focus on strategic, policy-level issues around cybersecurity and 
other operational risks within the financial sector. 

In order to monitor matters related to financial stability, the Financial Stability Oversight Council 
(FSOC) also receives specific input on the slate of cybctsecurity risks through FBIIC 
representatives of its member agencies, as well as from Treasmy directly. This has included 
holding public and private sessions on cybersecurity, including threat briellngs related to 
ongoing incidents. I lowever, FSOC is not the forum for day-to-day coordination on 
cyberseciuity and defers that responsibility to the FBIIC. 

As you identify in your letter, information sharing is a crucial component of govenunent and 
private sector cybersecurity efforts. Establishing shared awareness of cyber threats requires that 
diverse stakeholders — including government agencies and private sector companies — with 
insights into malicious activity combine their knowledge to identify actionable information to 
better secure systems. To help facilitate timely sharing and analysis of information about cyber 
threats to the financial sector. Treasury established the Financial Sector Cyber Intelligence 
Group (CIG). The CIG develops and shares actionable information and collaborates with 
interagency partners to provide classified and unclassified cybersccurity briefings to private 
sector officials. The CIG works especially closely with DHS and the FBI in these efforts to 
provide financial sector expertise through established liaison officers. The CIG al.so works 
closely with private sector ot:ganizations, including the Financial Service Information Sharing 
and Analysis Center (FS-ISAC). To that end, we commend the FFIEC for their cybersccurity 
examination pilot and particularly their recommendation that “firms of all sizes participate in the 
FS-ISAC as part of their process to identify, respond to, and mitigate cybctsecurity threats and 
vulnerabilities”. 

We look forward to continuing discussions with you on this critically impoitant and highly 
complex subject so that we may work together to advance the objective of improving financial 
sector resiliency for the twenty-first century. 


Sincerely, 

Randall DeValk 
Counselor to the Secretary 


Identical letter sent to: 

Ilie Honorable Michael D. Crapo 
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LETTER OF RESPONSE SUBMITTED BY FEDERAL DEPOSIT 
INSURANCE CORPORATION 


FEDERAL DEPOSIT INSURANCE CORPORATION, 


MARTIN J. ORUENBERG 
CHAIRMAN 


November 24, 2014 


Honorable Tim Johnson 
Chairman 

Committee on Banking. Housing, and Urban Affairs 
United Stales Senate 
Washington. D.C. 20510 

Dear Chairman Johnson; 

Thank you for your lencr seeking information on the role the Federal Deposit Insurance 
Corporation is playing to protect our financial system from cybersccurity threats. We share your 
concern that cybeisecunty threafs pose a risk to the safety and integrity of the U.S. financial 
system. 

The FDIC recognizes that there are several essenUal components to our response to the 
cybersecurity threats facing the financial services industry. These include the process of 
aetjuiring and sharing actionable infotmation. In this regard, the FDIC actively participates in a 
wide range of interagency and publicv’private information-sharing initiatives. In addition, the 
FDIC coordinates closely with our fellow regulators, law enforcement, and the intelligence 
community in addressmg threats to the financial industry. 

The FDIC also is engaged in strengthening our cybersecurity supervisory programs. The 
FDIC regularly and routinely evaluates all of its regulated financial institutions' infomtation security 
programs through our information technology (I T) examinations. The federal banking agencies also 
conduct IT examinations of major technology service providers that provide services to financial 
institutions. These examinations are dcsiped, in part, to ensure that financial institutions protect 
both bank and customer information. Depending on the findings from our examinations, informal or 
formal enforcement action may be pursued to achieve corrective actions. 

fhc FDIC’s Division of Risk Management Supersision prepared the enclosed responses 
to your questions. Thank you for your interest in this important maner. If you have additional 
questions, please call me at (202) 898-3888 or Eric Spider, Director of the Office of Legislative 
AITairs,at(202) 898-7140. 


Sincerely, 

Martin J. Cmienberg 



Enclosure 
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Response to an Inquin’ from 

The Honorable Tim Johnson and The Honorable Mike Crapo 
Committee on Banking, Uonsing, and Urban Affairs 
United States Senate 


QI: H'hai a your agency's or department's process for acquiring information on potential 
or occurring cyberaitacks and passing information to the financial services sector in a 
timely manner? What obstacles and/or legal restrictions hinder information sharing? 

.41. Cybersecurity has become an issue of the highest unportance for the Federal Financial 
Institution Examination Council (FFIEC) members' and throughout the federal govermnent. The 
rapidly evolving nature of cybersecmily risks reinforces the need for regulators, financial 
institutions, and critical technology service providers to have appropriate procedures in place for 
collecting, monitoring, sharing, and responding to the latest cyber-related threat information. As 
such, the FDIC actively participates in interagency and public.'private information-sharing 
initiatives including: the Department of Homeland Security (DHSI National Cybersecurity and 
Communications Integration Center’s Cyber Unified Coordination Group; the Financial and 
Banking Information Infrastructure Committee (FBUC), a group chattered as part of the 
President's Working Group on Financial Markets to facilitate interagency communication among 
federal agencies: and, the financial Services Information Sharing and Analysis Center (FS- 
ISAC), a public/private information forum for sharing cybersecurity and information technology 
related risk information. The FDIC also has served a unique role since 2007 by providing a staff 
member to serve as the FBUC liaison to DHS. This position initially was embedded with DHS' 
Infrastructure Protection area, supporting the DHS Banking and Finance Sector specialist. Given 
the increasing cybersecurity risk faced by the financial services sector, this liaison role expanded 
to DHS's National Cybersecurity and Conununications Integration Center (NCClC) after its 
activation in 2009. This individual also represents the FBUC on the NCClCs Cyber Unified 
Coordination Ciroup. 

Real-time threat and vulnerability information also is obtained by each of the individual FFIEC 
members from a variety of sources, including directly from supervised financial institutions, 
examiners, the Department of the Treasury, and technology service providers. 

Whenever possible, and as appropriate, the FDIC and the FFIEC share information with the 
financial services industry to provide details of cybersecurity threats, risk mitigation steps, and 
reference materials to consider. Some of these isttuances are posted on FFIEC member public 
websites, while others are distributed through non-publtc sites available only to examiners and 
financial institutions. When requested by the Treasury, the FDIC has shared sensitive 
information regarding potential or occurring cyber-attacks directly with financial institutions 
through a secure non-public web portal. Financial instimtions also may receive cybersecurity 
threat and vulnerability information from law enforcement and intelligence agencies that 
maintain relationships with the private sector, and through information sharing forums such as 


‘ Hi: FFIEC nembas jit thr Boinl pf Oovonms of the Fcdcni Reserve System, tlu: Federal Deposit Insiinnce Corporation, 
die Office of the ConpimUcr of the Curmey, che CoosuRicr Financial Protection Buttau. the Nationd Credit Union 
AdminucraticiQ, md the Stale Uusoo Committee 
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the FS-ISAC and DHS’s United States Computer Emergency Readiness Team (US-CERTl. On 
April 1 0, 20 14. the FDIC issued a press release providing the institutions it supervises Mth a list 
of the available sources for cyber-related threat and mitigation information. 

Ihe FDIC also relies on information-sharing relationships to ettsurc our operations ate safe and 
secure. The FDIC has a designated Federal Senior Inteibgence Coordinator, who promotes 
intelligence sharing within the FDIC and between the FDIC and other agencies. In addition, 
forums, such as the federal Chief Information Officer Council, provide critical insights on 
sensitive cybersecurity matters and include law enforcement, the intelligence community, and 
DHS. To ensure sensitive information is protected and shared appropriately, the FDIC recently 
CTeated a Sensitive Compartmented Information Facility for exchanging classified intelligence 
internally and with other agencies. 

While the scope of information sharing among the FFIEC members and the indusuy is generally 
strong, the rapidly evolving nature of cybersecurity' incidents has highlighted gaps in the legal 
framework. For example, the Gramm-Iveach-Bliley Act (GLBA), Section 501(b) requires the 
bank regulatory agencies to develop Interagency Guidelines Establishing Information Security 
Standards (12 C.F.R. 364, Appendix B) requiring every financial institution to have an 
infoimation security program approved by the institution’s board of directors to protect customer 
informatioa Similarly, the Federal Trade Commission (FTC) can enforce .standards for 
protection of customer information (16 C.F R. 314) by all other financial institutions that are not 
insured depository institutions. However, others, such as retailers, are not subject to national 
regulatoA' requirements to protect customer data. Further, the Bank Service Company Act 
(BSCA), 12 U.S.C. 1867, was enacted in 1962. Given the significant changes that have occurred 
in the fields of information technology (IT) and cybersecurity since 1962, the FDIC would 
recommend a review of the Bank Service Company Act to determine whether additional 
enforcement authority is necessary for the federal banking agencies with respect to non-bank 
financial inslimtions that provide direct services to banks. 


Q2: Please describe what coordination and interaction each of your agencies and Department 
have with each other, as well as law enforcement, DHS, and the intelligence community. How 
would legislative proposals improve or impede your coordination and relationships with other 
government agencies? 

/iZ Coordination among the FFIEC members, law enforcement and the intelligence community 
is critically important to maximize intelligence awareness within the FDIC and the financial 
services industry at large. In order to facilitate this coordination, the FDIC has designated 
representatives that coordinate these relationships and ensure information is disseminated 
appropriately. While we recognize the support of our law enforcement and intelligence partners, 
information sharing obstacles associated with ongoing law enforcement investigations can 
present a challenge. For example, the findings fiom forensic analysis and the methodologies 
used by attackers identified during law enforcement investigations may be useful in drafting 
supervisory guidance or responses if shared earlier in the process with regulators that possess 
appropriate security clearances. Moreover, the interagency sharing of financial institution cyber 
incident infoimation beyond just the primary federal regulator may be valuable to support our 
role as insurer and bacirop regulator. As such, the FDIC and the other FFIEC members arc 
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working through the FBllC to strengtlien infomation sharing protocols among law enforcement 
and the FFEC, 


03; The Financial Stability Oversight Council (FSOC) recommended that regulators devote 
additional supervisory attention toward cyhersecurily. niiat is the FSOC's role in monitoring 
cybersecurity risks? 

A3. As established by the Dodd-Frank Wall Street Reform ami Consumer Protection Act (Pub. 
L. 1 1 1-203), the Financial Stability Oversight Council (FSOC) is tasked with identify'ing risks to 
the financial stability of the United States, promoting market discipline, and responding to 
emerging risks to the stability of tlie United States financial system. The Chairman of the FDIC 
serves as one of the ten voting members of the FSOC that provides a forum for regulatory- 
coordination and information-sharing regarding policy development, rulemaking, supervisory’ 
information, and reporting requirements. The FSOC has identified cyber-attacks as a potential 
threat to the financial system and recommended that financial regulators continue their efforts to 
assess cyber-related vulnerabilities facing their regulated entities and identify gaps in oversight 
that need to be addressed. The establishment of the FFIEC Cybcrsecuiity and Critical 
Inliastiucture Working Group (CCIWG) is consistent with the recommendations of the FSOC. 

The FFIEC serves as the formal intert^ency body empowered to prescribe uniform principles, 
standards, report forms, and information stong to support the federal examination of financial 
institutions. While the FFIEC has in place established task forces that facilitate collaboration 
and information sharing, the FFIEC recognized that a mote focused approach was needed to 
address the emerging cybersecurity challenges. In response, the FFIEC formed the CCIWG in 
June 2013 to serve as a liaison with the intelligence community, law enforcement, and the DHS 
on issues related to cybersecurity and the protection of critical infrastmeture. The CCIWG is 
empowered to help the banking agencies collaborate in establishing cyber-related examination 
policy, developing baining programs, coordinating responses to cybersecurity incidents, and 
managing information-sharing efforts. 


04: Earlier this year the Federal Financial Institutions Eeamiimlion Council announced that 
It is planning cybersecurity and risk-mitigation assessments to help smaller institutions 
address cybersecurity gaps. Please describe this effort and what particidar considerations or 
risks may exist at institutions of vaiying sizes. 

.44. The FFIEC members are undertaking a number of initiatives to raise awareness of financial 
institutions and their critical third-paity service providers with respect to cybersecurity risks and the need 
to identify, assess, and mitigate these risks in light of the increasing volume and sophistication of cyber 
threats. These include: 

• April 2014: Issued joint press releases informing institutions about three vulnerabilities: 
the OpenSSL “Heartbleed vulnerability," cyber-attacks on automated teller machines and 
card authorization systems, and distributed denial of service attacks. 
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• May 2014: Conducted a webinar for approximately 5,000 chief cxeculive officers and 

senior managers from community financial institutions to highlight efforts to enhance 
eybersccuritv measures. The FFIEC offered this webinar to raise awareness about the 
pervasivenes of cyber threats, discuss (he role of executive leadership in managing these 
risks, and share actions being taken by the FFIEC, 

• June 2014: Launched a cybersecurity webpage to help promote the awareness of 
cybersecurity and to serve as a central repository for current and future FFlEC-relaled 
materials on cybersecurity. 

• June 2014: Initiated a pilot cybersecurity focused work program at more than 500 
community institutions and technology service providers. The work program \vas 
completed' by state and federal regulators during regularly scheduled examinatioru. 
Regulators focused particularly on risk management and oversight of threat intelligence 
information, cybersecurity controls, cyber incident nnanageraent, technology service 
provider risk management, and resilience. Another aim of the pilot was to help regulators 
make risk-informed decisions to enhance the effectiveness of supervisoo' programs, 
guidance, and examiner ttaining. 

• November 2014: Released general observations fi-om the Cybersecurity Assessment 

describing the range of inherent risks and the varied risk management practices observed 
among financial institutions. The document provides suggested questions for chief 
executive officers and boards of directors to consider when assessing their financial 
institutions' cybersecurity and preparedness without setting forth regulatory guidance, 

• November 2014; Issued joint statement highlighting the value for institutions of all sizes 
of participating in cyber-related information sharing forums such as the FS-ISAC to 
ensure awareness of cybersecurity threats and vulnerabilities. 

In addition, the FDIC recognizes that addressing cyber risks can be especially challenging for 
community banks and we have taken a number of independent actions to further improve 
awareness of cyber risks and encourage practices to protect against threats: 

• July 2013: Issued a technical assistance video on information technology, highlighting 
for bank directors how the basic information technology governance fiamework applies 
to cyber events, such as account takeovers and distributed denial of service attacks. 


• April 2014: Issued a press release urging financial institutions to utilize available cyber 
resources to identify and help mitigate potential threats. 


• April 2014: Re-issued documents that contain practical ideas for community banks to 
consider when they' engage in technology oulsouremg. The documents are: Effectiw 
Practices for Selecting a Service Provider, Tools to Manage Technology Providers' 
Performance Risk Service Level Agreements; and Techniques for Managing Multiple 
Service Providers. 
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• July 2014; Distributed an information package to chief executive officers of all FDIC- 
supervised institutions that included a copy of Cyber Challenge: A Communit)' Bank 
Cyber Exercise. FDIC created Cyber ChcBlenge to encourage community financial 
institutions to discuss operational risk issues and the potential impaet of information 
technology disruptions on common banking functions. The Cyber Challenge exercise is 
designed to facilitate discussion between financial institution management and staff about 
operational risk issues. The exercise can provide valuable information about an 
institution’s current state of preparedness and identify opportunities to strengthen 
resilience to operational risk. Cyber Challenge consists of four short video vignettes and 
related challenge questions. Each video vignette depicts a unique scenario, including an 
item processing failure, a customer account takeover, a phishing and malware case, and a 
problem with a technology service provider. The challenge questions for each vignette 
are designed to facilitate disaission about how the bank would respond to the scenario. 
Also included were lists of reference materials where participants could obtain additional 
infonnation. 
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LETTER OF RESPONSE SUBMITTED BY THE NATIONAL CREDIT UNION 

ADMINISTRATION 



- National Credit Union Administration 


OHice ol the Chainnan 


Dccembct -1. 2014 


ITie HunoraWc lint Johnson 
Chairman 

Senate Committee on Banking. 

Housing and Urban Affairs 
5.14 Dirksen Senate Office Building 
a.shington. IK 2051(1 


I he Honorable MikeCrapo 

Ranking Member 

Senate Committee on Banking. 

Housing and I rban Affairs 
5.’4 Dirksen Senate Office Building 
Washington. DC 20510 


Dear Chainnan Johnson and Ranking Member C rape: 

I hank you for your October 21. 2014. letter about uhai \Cl A is doing independentlv as an 
agency and cooperatis ely with our fellow financial institutions regulators and the II.S. 
Department of the Treasury to combat cyber-attacks. I scry much agree with you about the need 
for regulators to lake steps to protect the financial serv ices sector from cybersecurily threats. 


NCC.A collaborates closely with our counterparts within the federal goeemment to develop and 
issue cy hcrsecurity guidance Ibr federally supers ised or insured credit unions. For esample. our 
technical experts participate on the Federal Financial Institutions F.xamination Council (FFIFX) 
information security and cybersecurity working groups. Vke actively prvjmote the use of the 
FFIEC IT Handbooks, which constitute the majority of information and cybcrseeurily 
examination guidance and policies for financial institutions. 


Furthermore, vve regularly receive and share information on cybersecurily and other national 
security threats through our participation on the Financial and Banking Information Infrastructure 
Committee (FBIIC). .Additionally, wc are developing protocols to receive and share intelligence 
reports on cybersecurity threats, ik’ealso receive updates on cyber-attacks dirvrelly from the 
Department of the Treasury, the Federal Bureau of Investigation, the Department of Homeland 
Security, and the I S. Secret Service. 


Moreover. NCI 'A has worked to align the agency 's elTons with the FFTFC's initiatives through 
the Cybersecurity and Critical Infrastructure W orking Group. Wc also continue to work 
collaboralively with our FFIEC and FBIIC eounterpans to encourage credit unions to join the 
Financial Services Information Sharing and Analysis Center and similar organizations to incrca.se 
preparedness and improve inlormaiion sharing throughout the financial services sector. 

In addition. NCI A has deployed a comprehensive cybersecurily resources page on our website.' 

1 he webpage features a wealth ot inhumation on cy bersecurily threats, tactics and preventive 
measures for credit unions to review and use. NCI,' A is also in the process of developing a 
critical communications portal for ivur supers tsed institutions and .state regulatory partners. 
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NCL'A further employs a risk-based approach toward cybersecurity by focusing our specialized 
resources on Ihe institutions that pose the greatest potential risk. Although our superx’isory focus 
is on decreasing risk across the system through targeted examination of our larger institutions, we 
remain concerned that small institutions are equally at risk. 

As pan of the 2014 budget, the NCUA Board additionally esuiblishcd the OlTice of Continuity 
and Security Management. NCUA created this office to aggregate all security-related functions, 
including continuity of operations planning, physical security, and personnel security, fhe office 
also addresses national security issues affecting the financial sers ices industry , including 
compliance with various statutes and orders related to the safeguarding of critical infrastructure 
and other national assets and protecting against cybersecurity threats. 

To bolster the agency's cybersecurity expertise. NCUA's 2015 budget also included two new 
positions. First, the budget added a new intelligence specialist within the Office of Continuity 
and Security Management w ith knowledge ol both finatKiaJ sector threats and cybersecurity 
threats. This new position will pro\ ide support to NCUA network security and business 
operations by sharing infomiation on critical infrastructure protection for the credit union sector 
and coordinating with the interagency initiatives jointly managed with FBIIC. Second, the 
budget provided for a new cybersecurity manager within the Office of Examination and 
Insurance. This position will help to establish the policy, risk management and communication 
objectives to support the cybersecurity priorities of NCUA and the interagency initiatives jointly 
managed with the FFIEC to protect the financial services industry. 

Finally, as 1 have pre\ iously testified. NCUA is the only federal financial institutions regulator 
without the authority to examine third-party vendors, which provide technology solutions and 
payment systems services for small institutions. This lack of authority represents a growing 
regulatoiy blind spot that poses an increasing risk across the credit union sector, in particular as it 
relates to cybersecurity, NCUA again requests that Congress act on this legislative priority for 
the agency. A more detailed discussion of this legislative request is found below. 

The remainder of this letter addresses the specific questions raised in your incoming letter. 

First, your letter asks how .\CUA acquires information about potential or occurring attacks 
and then shares that information with the financial sers’ices sector in a timely wai'. You also 
ask about legal impediments or restrictions that hinder information sharing. 

As mentioned above. NCI 'A receives critical cybersecurity information directly from the 
Department ot the Treasury, the Department of Homeland Security, and jointly from our FFIEC 
and FBIIC counterparts. The I reasury Department also is coordinating a principals' level 
working group through the FBIIC to address information-sharing protocols. NCUA is further 
establishing protocols to coordinate with the intelligence community and our partner FBIIC 
agencies on prioritizing collection and analysis on cybersecurity and other national security 
threats to the financial serv ices sector. NCLIA also receives regular unclassified cybersecurity 
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updates and threat reporting from the Department of Homeland Security, the Federal Bureau of 
Investigation, and public sources. 

NCU A is not auare of specific legal restrictions or impediments concerning the sharing of 
Information among the federal regulatory agencies with supervisory oversight for financial 
institutions. Provisions of federal law specifically contemplate that the agencies will share 
examination and supen isory information. For example, federal law provides that covered 
agencies, including the NCUA and the federal banking agencies, may share information among 
themselves without waiv ing any applicable privileges associated with that information and 
recognized under applicable federal or state law." 

F'FIKC Rules of Operation also contain guidelines that govern the way in which information may 
be shared among the Council's members. FFIEC members may. in cases involving specific 
subsets of information, such as with the Home Mortgage Disclosure Act. enter uniquely drafted 
Memorandums of I'nderstanding to govern the sharing and use of that information. The Right to 
Financial Privacy Act also contains an exception that specifically authorizes the exchange of 
financial records, examination reports, or other information involving regulated financial 
institutions among and between the member agencies comprising the FFIEC. as well as the 
Securities and Exchange Commission. Federal Trade Commission, and Commodity Futures 
Trading Commission.^ 

Additionally . .\Clf\ and the other financial services regulatory agencies are parties to a 
Memorandum of I'nderstanding through which the agencies may share information pertaining to 
v iolations of the Bank Secrecy Act with the w ith the Financial Crimes Enforcement Network. In 
response to properly authorized and documented requests. NCUA and the other financial services 
regulators also share relevant information with otiicr law enforcement agencies. 

In terms of practical constraints affecting information sharing, current regulatory reporting 
requirements are limited in scope to breaches of sensitive consumer information. Financial 
institutions are not required to report incidents unrelated to those types of breaches. Incidents 
unrelated to a breach may be captured on a suspicious activity report. However, the number and 
volume of .such incidents can be material should a report be required for each incident. 

As noted above. NCUA works with other financial serv ices agencies and the Department of the 
Treasury to share information internally. In sharing information with agencies outside the 
financial services regulatory framework or with the public sector. NCUA must balance the need- 
to-know and the timeliness of critical cyberseeurity information with the requirements to provide 
neec.ssary protections for proprietary financial information. 

External sharing remains a challenge due to the sensitive nature of some of the information. This 
information may be pan of a criminal inv estigation or it could be supervisory in nature, including 


*S« t2 f.S.C. IS’llllaiiJ IlC.ril. 7ICJI. 
•XaDt.SC 14i:iel 



The Honorable Tim Johnson and Mike Crapo 

UeceinberT. 20M 

Paged 


94 


proiecicd pruprieian- business information or infomiaiion we cannot easily disconnect from the 
institution that could reap additional harm to the institution if disclosed. Improvements to 
current reporting regulations with the ability to develop a discretionary reporting regimen, such 
as summary versus by incident, may feed additional metrics that could help strengthen overall 
cybersecurity. 

Second, you ask about the courdinalion between .\Cl 'A and the federal banking agencies, the 
Department of the Treasury, the Department of Homeland Security, and the intelligence 
community. You also inquire about how legislative proposals would improve or impede 
interagency coordination and relationships. 

We currently participate on working groups aimed at strengthening the How of intelligence and 
threat information between agencies. For c.'iample, as previously mentioned. NCU.^ participates 
in IBIIC as well as additional Depanment of the I reasury critical infrastructure and 
cybersecurity' venues. We also coordinate and collaborate with law enforcement regarding cy ber- 
aitacks on a specific firm or Tmancial institution. 

NCUA regularly receives important information and updates from the Department of the 
Tteasuo and other agencies, and we make use of that information through either direct 
communication with our supervised institutions or our subject matter experts and specialized 
information technology examiners. ba.scd on the criticality and sensitivity of the information. 

NCL A has an ongoing internal assessment process to identity- where we can improve our use of 
intelligence and information to stem the exposiue of the credit union system to cyber-attacks, as 
well as enhance our sharing protocols. 

A major focus of the FFlEC's Cyhersecurity and Critical Infrastructure Working Group includes 
promoting greater communication and information sharing among agencies to improve 
operational awareness across the financial serv ices sector. 

Additionally, most of NCL'A's superv ised credit unions are very small by financial institutions 
standards. In fact, approximately two-thirds of credit unions hold less than S50 million in assets. 
These institutions have limited resources and more frequently rely to a greater extent on 
outsourced relationships for data processing, information security, and network and payment 
systems management. As a result, third parties play a critical role in credit union cybersecuriiy 
preparedness. 

However, as noted above. NCUA is the only federal financial institutions regulator without the 
authority to examine third-party service companies. As highlighted in testimony before the 
Senate Banking Committee in .September, NCUA's top legislative initiative is to gain parity with 
the other federal regulators.^ \k'e therefore request that Congress grant similar authority to 
NCUA that the Federal Deposit Insurance Corporation and the Office of the Compu-ollcr of the 
Currency possess under the Bank Service Company Act. Such authority is even more important 
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for VCl! A because of ihc large and growing number of credii unions relying on ihird parties and 
a significant number of credit union-specific sert ice companies that are not covered by the Bank 
Serv ice Company Act. 

Iltc enactment of this legislation by Congress would ensure NCl'A is able to participate in joint- 
agency examinations of third-party vendors. By directly examining third-party vendors we can 
address risk at the source and that will, in turn, reduce the amount of time we spend receiving 
third-party vendor information indirectly during credii union exams, This will result in a reduced 
burden on credit unions. 

Third, you ask us to share our view of the Financial Stability Oversight Council's role in 
monitoring cybersecurity risk. 

NCUA has a positive view of the Financial Stability (Tversighi Council's work on cybersecuriiy. 
The Council highlighted cybersecuriiy as a key emerging threat and included recommendations 
related to cybersecurity in its 2014 annual report. The Financial Stability Oversight Council has 
also held briefings on cybersecuriiy issues for the Council's members, as well as discussions 
within the Council's Systemic Risk Committee and in other venues. The importance placed on 
this i.ssue by the Council ha.s helped NCUA to raise awareness about cybersecuriiy threats within 
the credii union system. 

Fourth, you ask us to describe the FFIEC's cyberseciirity risk assessment aimed at helping 
smaller financial institutions to address cybersecurity gaps. 

The Cybersecuriiy and Critical Infrastructure Working Group w as chartered to fiK'us on 
cybersccurity-spccifie risks in the financial services sector for entities supervised by the FFIEC 
agencies. The Working Group continues to focus on the central issues of awareness, information 
sharing and communications, and risk mitigation within the financial services sector. 

The Cybersecuriiy and Critical Infrastructure W'orking Group conducted a pilot assessment at 
more than 500 in.stiiuiionsduring June and July. The agencies jointly employ ed a comprehensive 
cy bersecuriiy framework for the review. The agencies arc currently working to assess the results 
for further consideration and specifically to idcniily opportunities for: 

• Additional awareness training. 

• Information sharing and communications. 

• Industry guidance. 

• Examination procedures, and 

• Staff alignment and training. 
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InTonnation on ihe pilot assessment can be found on the FFIEC website.’ The FFIEC agencies 
also recently issued General Obsen ations fmm the recently completed pilot cybersecurity 
assessmenL The General Observations can be found on the FFIEC website, as well.'' 

The FFIEC agencies have additionally issued a statement recommending all financial institutions 
enhance information sharing and knowledge on cybersccurity threats by tapping into the vast 
resources of the Financial Services Information Sharing and Analysis Center, as w ell as other 
federal cytersecurity information sources. This Information Sharing Statement is available on 
the FFIEC’s website.’ 

The assessment is providing valuable insight on how FFIEC agencies can better align 
expectations with a comprehensive cy bersecurity framework. The assessment Is under review, 
and we will focus on opportunities for enhancing cybersecurity in our supervised institutions. 

In closing, thank you again for inquiring about our efforts related to and \ lews on the critical 
issue of cybersecurity. NCUA is committed to addressing cybcrsecurity threats within the credit 
union system and to working w iih Congress and other agencies to further protect the financial 
services sector from cyber-attacks. 

Please do not hesitate to contact me about this or any other issue of interest or concern to you. 
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LETTER OF RESPONSE SUBMITTED BY THE BOARD OF GOVERNORS 
OF THE FEDERAL RESERVE SYSTEM 



■ ■ 

Board of Governors of the Federal Reserve System 
Washington, D, C. 20551 

lANET L, YELLEN 

December 05, 20 1 4 Chai« 


The Honorable Tim Johnson 
Chairman 

Committee on Banking, Housing, 
and Urban Affaits 
United Stales Senate 
Washington, D.C. 20510 


The Honorable Mike Crapo 
Ranking Member 
Conunitteeon Banking, Housing, 
and Urban Affaits 
United Stales Senate 
Washington, D.C. 20510 


Dear Mr. Chairman and Ranking Member 

Thank you for your letter dated October 21, 2014, inquiring about our role in 
protecting the financial services sector from cyberaitacks. We agree that these events 
represent a significant risk to the safety of the U.S. financial system and protection of 
personal financial information. 


The Board of Governors of the Federal Reserve System (Board) has long held a 
strong interest in information security at the financial institutions and financial market 
utilities (FMU) we supervise, as well as at the technology service providers supporting 
their activities. Working in conjunction with slate and other federal banking regulators, 
we evaluate the numerous cyberthreats to the banking industry and firms’ efforts to 
address these risks through various routine examination and ongoing monitoring 
activities. In addition, in 2014, we engaged in several targeted cybersecurity related 
supervisory initiatives, such as the Federal Financial Institutions Examination Council 
(FFIEC)' cybersecurity assessment of community financial institutions. Our efforts also 
involve communication and coordination with the law enforcement and intelligence 
communities, as well as financial industry groups. 


' The FFIEC roembers are the Boord of Govemois of the Federal Reserve System, Federal Deposit 
Insurance Corporation, Office of the Comptroller of the Currency, Consumer Financial Ptolecuon Bureau 
National Credit Union Administration, and the Stale Liaison Committee. 
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Below are responses to your questions that are applicable to the Board. 

1. \Vhal is your agency 's or Department 's process for acquiring information on 
potential or occurring cyherattacb and passing information to the financial services 
sector in a timely manner? 

The timely acquisition and sharing of cyberthreat-related information is conducted 
through a variety of means. The Board engages on an on-going basis with the U.S. 
Treasury, Department of Homeland Security (DHS), and the Financial Services- 
Information Sharing and Analysis Center (FS-ISAC), as well as with the law enforcement 
and intelligence communities to maintain awareness of current threats and vulnerabilities 
that could have an impact on the financial services sector. The Board also has staff 
assigned to the Federal Bureau of Investigation’s (FBI) Joint Terrorism Task Force 
(JTTF) to ensure the immediate notification to the Board of threats and vulnerabilities. 

The Board encourages institutions to maintain an awareness of cyber developments and 
obtain threat information directly from the FS-ISAC, DHS, U.S. Computer Emergency 
Readiness Team, the FBI’s InfiaGard program and other information sharing forums 
rather than rely primarily on tlie Board as the source of this information. The FFIEC 
member agencies recently issued a joint statement recommending that financial 
institutions of ail sizes participate in the FS-ISAC as part of their process to identify, 
respond to, and mitigate cybersecurity threats and vulnerabilities. The FFIEC statement 
advised financial institutions and their critical technology service providers that 
cyberthreat information provided by the FS-ISAC could improve their ability to identify 
attack tactics and successfully mitigate cyberattacks on their systems. Additional 
government resources to assist financial institutions with identifying and responding to 
cyberattacks were also cited in tliis statement. 

In cases where the Board determines that the nature of a particular cyberthreat warrants 
heightened awareness, we promptly take steps to convey this information directly to 
organizations under our supervision. These notifications generally take the form of joint 
FFIEC statements and alerts issued to the financial services sector. Examiner discussions 
with management during the course of ongoing supervisory activities is another method 
used for rapidly sharing cyberlhreat intelligence. 

As a member of the FFIEC, the Board communicates cybersecurity concepts and 
supervisory expectations through the FFIEC Information Technology Handbook (IT 
Handbook), which provides guidance to examiners and management of all financial 
institutions and technology service providers. The Board also participates in efforts to 
raise industry awareness on cybersecurity-related issues, for example through webinar 
presentations delivered to large audiences of financial Institutions. 
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2. What obstacles and/or legal restrictions hinder information sharing? 

There are no material obstacles or legal restrictions that currently impede the Board’s 
ability to communicate appropriate cybersecurity-related information with financial 
institutions; however, the financial services sector would benefit from increased 
information sharing about cyberattacks among its members. Current statute limits the 
exchange of information solely for the purposes of identifying and reporting activities 
that may involve terrorist acts or money laundering activities without the risk of incurring 
civil liability. Creating a safe harbor to facilitate the timely sharing of information 
concerning other criminal activities, including information about cyberattacks and data 
breaches, would promote the safety of the U.S. financial system. 

3. Please describe wlmt coordination and interaction each of your agencies and 
Department have with each other, as well as law enforcement, DHS, and the 
intelligence community. 

The Board also actively engages with interagency groups such as the Financial and 
Banking Information Inffastracture Committee (FBIIC), Financial Services Sector 
Coordinating Council (FSSCC), and the FFIEC’s Cybersecurity and Critical 
Infirastmcture Working Group (CCIWG) to sliare information and collaborate on cyber 
and critical infrastructure-related issues impacting the financial services sector. The 
Board participates in classified briefings provided to the FBUC, which ate typically 
coordinated by the U.S. Treasury Department and conducted by the DHS, FBI and the 
U.S. Secret Service. The Board works within these groups to develop coordinated 
messages to the financial services sector on cyber developments, threat intelligence, and 
ways to improve the sector’s ability to mitigate these risks and respond to actual attacks. 

4- How would legislative proposals improve or impede your coordination and 
relationships with other government agencies? 

The Board would welcome efforts that improve coordination of government agencies on 
cybersecurity-related matters. While the various sources and processes described above 
have generally provided an effective means for acquiring cybersecurity information, 
delays in connection with on-going law enforcement investigations pose an obstacle to 
obtaining and acting on cyberthreats in a timely manner. These investigations usually 
require several months or longer to complete, and information related to forensic analysis 
and attack methodologies is typically not shared in the interim. Given the systemic and 
rapidly evolving nature of cyberthreats, more immediate disclosure from law 
enforcement and intelligence communities to appropriate federal banking agencies would 
enhance our ability to ensure the safety and soundness of the financial services sector and 
protection of consumers. 
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5. Last year, the Financial Stability Oversight Council (FSOC) recommended that 
regulators devote additional supervisory attention toward cybersecurity. What is the 
FSOC 's role in monitoring cybersecurity risb? 

The FSOC provides an essential forum for communication and coordination of regulatory 
efforts to address cyberthreats across the financial services sector. Cybersecurity 
reconunendations contained within FSOC's 2014 annual report have contributed to a 
series of regulatory actions on this topic. The FFIEC and Board cybersecurity 
assessments described below are in direct response to those recommendations and 
intended to assess cybersecurity-related vulnerabilities &cing regulated entities and 
identify any gaps in oversight that need to be addressed. Previously cited joint FFIEC 
statements and alerts issued to the financial services sector are examples of recommended 
awareness initiatives. 

6. Earlier this year the Federal Financial Institutions Examination Council announced 
that it is planning cybersecurity and risk-mitigation assessments to help smaller 
institutions address cybersecurity gaps. Please describe this effort and what 
particular considerations or risks may exist at institutions of varying sizes. 

During the summer of 2014, FFIEC members conducted cybersecurity assessments at 
over 500 community financial institutions to evaluate their cybersecurity risk exposure 
and preparedness. The assessments build upon key aspects of existing supervisory 
expectations addressed in the FFIEC IT Handbook and other regulatory guidance. Each 
institution’s current practices and overall cybersecurity preparedness were evaluated, 
with a focus on the following key areas: 

• Risk Management and Oversight 

• Threat Intelligence and Collaboration 

• Cybersecurity Controls 

• External Dependency Management 

• Cyber Incident Management and Resilience 

The assessment found that the level of cybersecurity inherent risk varies significantly 
across the community financial institutions reviewed. Cybersecurity risk management 
also varies by organization. Analysis of the assessment results are still in process; 
however, preliminary findings indicate that most community financial institutions have 
established fundamental cybersecurity controls. Management and board oversight, 
employee training, prevention and detection systems, and processes to manage third-party 
relationships are in varying stages of maturation. Based on the assessment results, further 
enhancements to strengthen cybersecurity at these organizations are warranted and 
currently under way. FFIEC member agencies are evaluating the effectiveness of 
cybersecurity-related supervisory programs, guidance and examiner training guidance to 
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align with cunent industry conditions and changing cybersecurity risks based on tlie 
results of this assessment. 

During 2014, the Board also conducted a targeted cybersecurity assessment on a select 
group of FMU and large financial institutions. The assessment found that these firms, 
while facing a greater inherent level of cybersecurity risk than community financial 
institutions, are generally well prepared to address existing cyberthreats. The Board and 
the other federal banking agencies are actively engaged with the management of these 
organizations to ensure they maintain an effective state of preparedness against future 
cyberattacks. Since these organizations operate a significant percentage of the nation’s 
critical financial infiastructuie, coordination of the U.S. Government’s various efforts 
aimed at combating cyberthreats should be prioritized to assist these firms in the 
protection of the financial services sector. 

We appreciate your interest in this matter and would welcome the opportunity to 
be of further assistance. 


Sincerely, 
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Office of the Comptroller of the Currency 


Washingtofl. DC 20219 


November ’1, 2()M 

The Honorable Tim Jobnsnn 
Oininnan 

Commllice on Uaiikin”, I lousing, iunl Orbnn Arfiiirs 
Uniicd Stales Senate 
Washington, DC 205lil-N)7.'i 

Dear Cliaimian Jolinson: 

Tliank you for your letter dated Oetober 21, 20M, regarding the role of the OlTiee of the 
Comptroller of the Cunctiey (OCC) In protaMing our Ttnancial sy.siem from eybet attacks. The 
OCC has hceit actively raising the awareness of national hanks and federal savings avsocialions 
(collectively, hanks) regarding cyber threats and the need to have appropriate methods for 
monitoring, sharing, and responding to infonnation about cyber threats and vulnerabilities. 

.Assessing llie resiliency of banks is a key fiKus of our ongoing supervision programs In 
addition. I want to underscore the OCC's strong commitment to working collaboratively with 
both the government and private sector on cyhersecuriiy. I have stressed repeatedly that 
effective collabsiration is essential due to the interconnectedness and interdependencies both 
within the financial sector and between the financial sector and oilier critical infrastructure 
providers, such as our nation's telecommunications network providers. Indeed, when I became 
chairman of the Federal Financial Institutions Examination Council (FT-'IEC) last year, one of tny 
first actions was to call for the creation of the C ylicrsccurity and Critical Infrastructure Working 
Group (CCIWG) to help foster and promote such cooidinalion. The CCIWO has been 
operational since June 2fll3. 

Below arc rcs|Hinses to your questions Ihttl are tipplicable to the OCC. 

I. Wliui iT your ageiwy '.v nr DeiHirtniml /nveax for mitiiring infonmilinii mi inilmliiil nr 
niriiniiig eWrer iimis uml imxiiig iiiformniiim In the fimmdiil .ten icr.v sirinr in a limrly 
miinncr? 

The OCC uses information sharing forums, intelligence community relationships, and the 
supers ision process to acquire infomialion on potential or ta'lual cylicr threats and attacks. The 
primary processes by which we obtain information are through: 
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• Membership in the Financial Services Information Sharing and Analysis Center (FS- 
ISAC), an industry forum for collaboration on critical security threats facing the global 
financial services sector. 

• Relationships with the law enforcement and intelligence communities, and participation 
in classified briefings. Additionally, the OCC receives significant alerts through the U.S. 
Treasury Department that provide information related to cyber threats. 

• Ongoing communication by OCC examiners with the banks that they supervise. This 
includes information related to incidents that may cause significant disruption to systems, 
facilities, or business processes and attacks and breaches involving sensitive customer 
information that occur at a bank, its operating subsidiary or affiliate, or at a third-party 
service provider. Examiners monitor the bank's respoase to such incidents and assess the 
level of impact and risk to customers, business operations, and whether there are any 
systemic or downstream impacts. 

The OCC uses formal and informal processes, based on the nature of the threat and the 
immediacy of potential impact, to communicate information to the banks we supervise. These 
processes include; 

• Providing examiners with instructions and messages to use in contacting bank 
management on specific wide-scale vulnerabilities and threats, the risks these may pose 
to the bank, and actions the bank should take to prevent, detect, and respond to a threat or 
vulnerability. 

• Using our secure BankNet system and coordinating with other regulators for wide-scalc 
distribution of aleit or threat information. 

• Issuing supervisory alerts or guidance, typically in collaboration with other FFIEC 
members, that identifies a threat or vulnerability and communicates regulatory 
expectations or information for addressing the risk. One recent example was the 
interagency alert on the “Shellshock" vulnerability 
nittD://www.fricc.eov/ores!i/Di0926 1 4.html . 

Cyber threats evolve rapidly, and banks and their critical service providers need to have in place 
appropriate methods for monitoring, sharing, and responding to threat and vulnerability 
information to safeguard customer and othw sensitive information and technology systems. For 
this reason, the OCC, along with other FFIEC member agencies, issued the Cybersecurity Threat 
and Vulnerability Monitoring and Sharing Siaiemeni on November 3, 2014, The statement 
reiterated that banks are expected to monitor and maintain sufficient awareness of cybersecurity 
threat and vulnerability information so they can evaluate risk and respond accordingly. This 
statement also recommended that banks participate in the FS-ISAC and leverage other resources 
to obtain threat information on a timely basis. We recognize the critical impoilance that timely, 
relevant and actionable information plays in an institution’s and the sector's ability to prepare 
for, respond to, and mitigate the evolving threats. 

2. Whal obstacles and/or legal restrictions hinder information sharing ? 

The OCC believes that the existing statutory framework could be improved to encourage 
information sharing about cyber attacks among institutions. We believe the enclosed amendment 
to the USA Patriot Act, which the OCC supports, would do so by creating a safe harbor to 
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fKiliiale and promote the timely sharing of information among financial institutions concerning 
criminal activities, including information about cybersecurity threats, cyber attacks, and data 
breaches. 

3. Pleast describe whai coordmalion and inieraclion each of your agencies and Department 
hove with each other, as well as law enforcement, DHS, and the Intelligence community. 

In June 2013, the FFIEC established the CCIWG to enhance communication among its members 
and build on existing efforts to strengthen the activities of other interagency and private sector 
groups, such as the FFIEC's Information Technology Subcommittee of the Task Force on 
Supervision, the Financial and Banking Information Infrastructure Committee (FBIIC), the 
Financial Services Sector Coordinating Council, and the FS-ISAC. The CCIWG members have 
been coordinating among themselves and with intelligence, law enforcement. Homeland 
Security, and industry officials to share accurate and timely threat information, and to assist 
institutions in protecting themselves and their customers from the growing risk posed by cyber 
threats. These activities are pan of a broader FFIEC cybersecurity awareness initiative that 
covers institutions of all sizes and complexity. The OCC is also a member of the FBIIC and 
attends classified briefings organized by Treasury. 

4. How would legislative proposals improve or impede your coordination and relationships 
with other government agencies? 

We have reviewed a number of legislative proposals to promote and facilitate information 
sharing concerning cyber threats and attacks among government agencies. The OCC generally 
suppons such legislative initiatives. However, in the case of cyber threat information involving 
banks, the bills we have reviewed do not require or encourage the Department of Homeland 
Security, the Department of Justice, or other government agencies to share this information with 
the appropriate federal banking agency. The federal banking agencies need cyber threat 
information involving banks to ensure the safety and soundness of both individual banks and the 
broader financial system. Accordingly, we believe that legislative proposals designed to improve 
and promote cyber threat information sharing among government agencies should require other 
government agencies to share information related to banks with the appropriate federal banking 
agencies. 

In addition, most legislative proposals designed to promote and facilitate cyber threat 
information sharing provide that the information shared may not be used for regulatory purposes. 
This provision could impede our ability to issue cybersecurity guidance or regulations, or to take 
action to correct deficiencies in cybersecurity risk management. 

5. Last year, the Financial Stability Oversight Council (FSOCj recommended that regulators 
devote additional supervisory attention toward cybersecurity. What is the FSOC's roie in 
monitoring cybersecurity risks? 

FSOC provides a mechanism to promote collaborative efforts on cybersecurity issues, and has 
set forth specific recommendations to advance cybersecurity efforts. For example, in its 2014 
annual report, FSOC recommended that Treasury continue to work with regulators, other 
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appn)pri:uc government ugcnciett und private vector nntincial entities to develop the ability to 
leverage insights from across the government and other soiiices to inform oversight of tlic 
financial sector and to assist instilulinns, market utilities, and serviee providers that may he 
targeted by cyber aiiacks. Tlic Council also recommended that financial regulators coniimic their 
efforts to as.sess cybcr-a'laled vulnerabilities facing lliclr regulated entities, identify gaps in 
oversight that may need to he addressed, and to inform and raise awareness of cyber threats and 
attacks. To help promote private ;ind public sector coordination, last December l-SOC members 
discussed cyber issues and collaborative efforts with the Assistant Secretary for Financial 
Institutions aiTrca.sury, who chairs the PBIIC, and the Chair of the Financial Services 
Roundtable BfTS Committee Board of Directors. 

The FFIEC’s CCIWG work is directly tv-sponsivc to the F'.SOC's recommendations. A key 
activity of the working gnvup is to monitor and issue alerts to the industry about emerging 
threats. Within iLs first year, this working group released joint statements on the risks ass<Kialcd 
with "distributed denial of service" attacks, automated teller machine "cash-outs,” and the wide- 
.scale "I learihiccd" vulnerability. In Sepietitbcr of this year, the group issued an alert to 
institutions about the "Shellshtxtk" vulnerability, und in November i.s.sucd a statement 
encouraging financial institutions to join F'S-kSAC to enhitnee their ability to monitor and 
respond to emerging thrc.ats. Thc.se statements tind alerts outline the risks associated with the 
threats and vulnerabilities, the risk mitigation steps that financial institutions tuc expected to 
take, and additional resources to help institutions mitigate the risks. 

6. luirlier this year llw Meral l-inam'ial liixiiliiliniix limmmitum Coiuieil aimoiaiceil tlial il L\ 
p/rt/ming tyhersei iirily and risk-milinatian assesximwx in help niialler instinuions address 
eyherseciirity gaps. Please describe this effort and wluu ikirtirular considerations nr risks 
may exist at instiintinns of vaiying sees. 

llie FFTEC is taking a number of steps to provide resources to support banks of all si/.c,s, 
particularly community institutions tlial may not have access to the re.sources available to larger 
institutions. In May 2014, the FFIEC offered a webinar focused on community hanks, entitled 
“Executive Uudmliip of Cshersecariiy: What Today's CEOs Need to Know About the Threats 
They Don't See. " In June 2014, the FFIEC launched a cybersccurity web ixigc 
( httii://\vts\v. ITicc.gov/cvhersecuritv.htm t that provides links to interagency statements, webinars, 
and otiicrcylicrsecttrity infonnation that is helpful to financial institutions. 

In addition, the FFIEC members recently piloted a cybersccurity a.ssessmcnt examination work 
program (Cybcrsecuriiy Assessment) designed for use by federal and stale hanking regulators to 
assess the vulnerability of community institutions to cyber threats and their preparedness to 
miligale cyber risks. Hie Cylicrsccurily Assessment builds ti|X)n key aspects of cxi.sling 
supervisory expectations addressed in the FTIEC IT Handbook (hitn://iiliand book.flicc.gov/ii- 
hookleis.asnx l and other regulatory guidance. The objectives of the work program are to; 

• A.ssess the complexity of an inslitulion’s operating environment, including the types of 
communication connections and payments initiated, as well as how tlic institution 
manages its information technology products and services. 
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• Assess an insliiuiinn's currcin practices and overall eyherseeuriiy preparedness, with a 
focus on the following key areas: 
o Risk Managcineni and Oversight 
o Threat Intel ligenee and Colhihnraiion 
0 Cybcrsccurity Controls 
0 External Dependency Managcmcnl 
0 Cyber Incident Management and Resilience 

On November 3, the FFIEC released general ohsers'ations front the pilot as,sevsmeni program 
(lill p :// \vww.fllee . e<'v/|iress/ l *l)l /ri l EC CvlK-rse eiinls AssesMiienl Olsscrvalioiis.P'll' ). Tile 
summary provides an overview of the range of eybersecurity risks that arc common to 
community banks and the risk management practices that banks arc using to mitigate thu.se risks. 
It also offers practical steps that community banks can take to strengthen their cybcrsccurity 
preparedness, and questions that bank management timl brairds of direclors can consider lo assess 
their hanks' eybersecurity risk management. 

The eybersecurity Assessment will help FFIEC members make risk-informed decisions to 
identify and prioritize actions to enhance the effectiveness of cyhcrscctirity-relaied supervisory 
programs, guidance and e.xamincr training. It will also be bcnericial in identifying actiuas that 
can strengthen the overall level of preparedness of members and their ability lo address evolving 
and increasing cyber threats. 

7. 1V/k(( purliciilur (mviV/erafio/i.i or risks may exist ai iiwiliiiioiis of niryinn sivs? 

The risk of cyber threats and attacks affects insiiliitions of all sizes. Large banks have a 
worldwide presence, luive high public profiles, and therefore are subject to a greater number of 
attacks. As a result, they need to bring considerable rcsourecs to respond to the volume and 
sopliisiicaiion of these aitaclcs. Smaller financial institutions generally do not have the same 
level of rcsourecs, which is one reason why the OCC and FFIEC have focused on providing 
resources and ttails that community bankers can use lo assess and help mitigate potential 
vulnerabilities. 

A key Ihcinc from the Cybcrsecuriiy Assessment and recent breaches is the increasing 
interconnectedness and inlerdcjicndcncies between hanks and oilier parties, including third-party 
service providers. In a highly interconnected environment, each connection can introduce a 
potential vulnerability to a cyber ait.ick. This is why the OCC is emphasizing that banks should 
maintain strong controls over their own .systems and how others connect to them. In addition, 
the OCC is .stressing that banks carefully monitor the ways in which they connect to Ihini parties, 
and how these third parties manage their systems and connect lo other third parlies. OCC 
Bulletin 2013-29 Third-party Relalioiiships: Risk Management Ciiiidance emphasizes that hanks 
should have strong oversight and printesses in place to govern these relationships. The majority 
of smaller bants tend lo rely more heavily on service providers lo support their business 
operations, and the OCC. in coordination with the Federal Deposit Iresurancc Corporation and llie 
Federal Reserve Board, supervises the largest technology service providers to ihc.se institutions. 
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In summary, (ho OCC shares your concerns ubou( cybcrsccurity and wc are commiltcd lo 
working closely with the other financial regulators and government agencies, law enforcement, 
the private sector, and Members of Congress to strengthen the resiliency of our nation's financial 
sector against such attiicks. If you have tiny further questions about our efforts, please feel free 
to contact me or Carrie Moore. Director, Congressional Liaison, at (202) (>49-6737. 
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Suggested Amendment to Section 314 of the USA PATRIOT Act 
(31 U^.CS311 note) 

Seciioo 314 of the USA PATRIOT Act (31 U.S.CS31I note) is amended— 

(1) in subsection (b)— 

(A) by striking “terrorist or money iaundering activities" and inserting "teirorist 
or money laundering activities or a specified unlawful activity (as defined in section 
l9S6<cX7) of Title 18. United Slates Code) and 

(B) by striking “terrorist acts or money laundering activities" and insetting “these 
acts or activities"; 

(2) in subsection (c) by striking "terrorist acts or money laundering activities" and 
inserting ‘Terrorist acts or money laundering activities or a specified unlawful 
activity (as defined in section 19S6(cX7) of Title 18. United States Code) ". 


EXPLANATION: 

This amendment would facilitate and promote the timely sharing of information concerning 
criminal activities, among fmancial institutions, including information concerning cybersecurity 
threats, cyber attacks, and data breaches. It modifies Seaion 3 14(b) and (c) of the USA 
PATRIOT Act, which provides safe harbors to encourage financial institutions to share 
information with one another regarding individuals, entities, organizations, and countries 
suspected of specified unlawful activity, without incurring civil liability. More specifically, the 
amendment expands these safe harbors, which currently apply to the sharing of information 
solely for the puiposes of identifying and repotting activities that may involve terrorist acts or 
money laundering activities, to also apply to information sharing for the puiposes of identifying 
and reporting activities that involve the Federal crimes listed in 18 U.S.C. l9S6(cX7). These 
include crimes relating to computer fraud and abuse, and many other serious offenses. Financial 
institutions are often unwilling to share information concerning suspected unlawful activity 
because of the risk of incurring liability. Expanding the safe harbors in this fashion will protect 
financial institutions that share information with one another, for example, regarding identity 
theft, cybercrime, and bank fraud, without requiring a determination that the crime also involves 
money laundering or terrorist activities. 
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LETTER TO THE CONFERENCE OF STATE BANK SUPERVISORS 
SUBMITTED BY CHAIRMAN JOHNSON AND SENATOR CRAPO 


United .5utcs :?cnatc 

!1 A,. 

.1. !■.: 

Novetnbo 13,2014 


John Ryan 
President and CEO 

Conference of Slate Bank Supcfvison 
1 1 29 20* Street, NW, 9* Flow 
Washington. DC 20036 


Dear Mr. Ryan: 

Over the past decade, cybersecurily has become a foremost national priority, Our networks and infomialion 
systems are under attack from a wide range of actors, including sophisticated criminal organizations, nilion- 
slales, and “hackiivists," who commit cyberaUacks foe a variety of reasons. Cyheraliacks come in many different 
forms, including distributed denial service attacks against websites, point-of-sale attacks against merehanis. 
malware attacks to infiltrate secure systems, phishing scams, and many more. 

As Chairman and Ranking Member of the U.S. Senate Committee on Banking. Housing, and Urban Affairs, we 
are particularly concerned with the safely and integrity of the U.S. financial system, especially as it pertains to 
Americans' pctsonal financial infoimaiion. fhe economic impact of cybcranacks is staggering. A recent Center 
for Strategic and Intemalional .Studies report piojecled global economic losses of up to S573 million annually in 
the U.S. alone. An earlier repoit cited by President Obama estimated losses of SI trillion just from intellectual 
property theft by cybctaltacks over the previous year. Financial institutions are a particularly lucrative target. 
Many find themselves under constant attack, with some spending up to S250 million per year on cybetsecurity. 

According lo Lany Zelvin. Director of the National Cybersecurily and Communications Intcgtalion Center at the 
Department of Homeland Security (DHS), of the si.vtccn critical infrastructure sectors, '‘finance probably wins the 
cybersecurity threat award. . . [The industry is] a massive target . . . because [h is] where the money is." The 
Office of the Comptroller of the Currency recently noted in its Semi-Annual Risk Perspective for U.S banks that 
cybcranacks and breaches are a leading operational risk and that "recuiring security breaches at retail merchants 
highlight the interdependencies in today's payment systems, there is concern that criminals will tiansition from 
disruptive anacks to attacks that are intended to cause destruction and comiption " 

Over the past year, we have seen a notable increase in tlte frequency and scope of data breaches at U.S. 
companies, which often involve the theft of customers' financial and other personal information. According to a 
recent study conducted by the Ponemon Institute. 43 percent of compruiies experienced a breach in the last year, 
up from 33 percent the prior year, and 60 percent reported a breach in the last two years. These numbers likely 
underestimale the magnitude of the cunent threat, as many breaches occur undetected. In the words of former 
FBI Director Robert Mueller. "There are only Iwo types of companies: those that have been hacked, and those 
that will be. Even that is merging into one categoiy: those that have been liacked and will be again," Earlier this 
month. JPMorgan Chase, the nation's largest bank by assets, announced that personal information from 76 million 
households and 7 million small businesses had been compromised, one of the largest cruporate breaches in 
history . Additional reports indicate that at least a dozen financial companies were targeted by the same hacker 
group. Ensuring that customer information is secure is essential lo the inlegnty of the financial system. 
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Mr, Ryan 

Novtrabcr 13,2014 
Page 2 of 2 

Furthernwce, as new forms of payment become increasingly poptilar, strong data security will take on even 
greater importance. 

While we recognize that federal and state agencies have heightened their attention to cybersecurhy issues, we are 
writing to seek more infomtation on the role members of the Conference of State Bank Supervisors (CSBS) are 
playing to protect our financial system from cyberattacks Please also respond to the following questions: 

First, what are CSBS and its members doing to address cybersecurity concerns at the institutions they regulate? 
What ate CSBS and its members’ processes for acquiring information on potential or occurring cyberattacks and 
passing information to the financial services sector in a timely manner? What obstacles and/or legal restrictions 
hinder information sharing? 

Second, please describe what coordination and interaction CSBS and its members have with federal financial 
agencies, as well as law enforcement, DHS. and the intelligence community. How would legislative proposals 
improve or impede your coordination and relationships with other government agencies? 

Finally, earlier tliis year the Federal Financial Institutions Examination Council announced that it is planning 
cybersecurity and risk-mitigation assessments to help smaller institutions address cybersecurity gaps. As 
members of the FFIEC, please describe this effort and what particular considetations or risks may exist at 
institutions of varying sizes. 

It is vital that government agencies and private institutions remain vigilant and coordinated in ensuring the sahtty 
and security of our networks especially as it applies to the valuable personal and financial information of 
American consumers. 

Thank you for your attention to this matter. 


Sincerely, 



Mike Ctapo 


Ill 


LETTER OF RESPONSE SUBMITTED BY THE CONFERENCE OF STATE 
BANK SUPERVISORS 



•aisrERE:: - : ;Tr dank 


D>xvmberS.20l4 


llic Honorable Senator Tim Johnson 
Chairman 

Senate Hanking Coininittee 
I Vi I lari Senate OITice Building 
Washington, D.C. 20.M0 


The Honorable .Mike Crapo 
Ranking Member 
Senate Hanking Committee 
239 Dirksen Sentite OHice Building 
Washington, D.C. 20510 


Dear .Senaloni Johmson and Crapo: 

Thank you for wur November 13, 2014 letter regarding Die elTortsofthe Conference of State 
Rtmk Supers isors (CSBS)' and Stale Banking Departments in proleeling the finaneial system 
from eyber attacks, Infomiation technology (IT) has always been a component of bank 
supers ision. and incorporating esbeisecurily into supers isors processes has been a natural 
et olulion. .M cyber threats have grown in number, scope, and intensity, state regulators have 
responded with a variety of initiatives, 

CSBS applauds the Committee’s efforts to focus attention on the role of regulators in promoting 
cybersecnirity. We appreciate the opportunity to provide an overview of stale efforts to address 
cyher risks at our memben;’ regulated imlilutioivs :md to note measures that would improve state 
efforts to access and share timely threat information. 

Question 1: First, what areCSIkS and its menibrrs doing to address cyberseeurity concerns 
at the in.slilutions they regulate? M hat are CSU.S and its members' pniresses for acquiring 
infumialiun on potenliai or occurring cyberatlacks and passing information to the 
iiiianrial senices sector in a timeiy manner? What obstacles and/or legal restrictions 
hinder inromiation sharing? 

St.itc ITfon.s to .Vddress Cvhersceurilv .it Regulated Itisiiiulions 


Kasunng that llnancial instillilioas are knowledgeable about and properly addressing 
cyberseeurity risks is a liigli priority for slate regulators Collectively thmugh CSBS .and 
individually, our members are engaged in a variety of eybcisecurity efforts. These efforts 


' CSBS a tile natiwiwide organiution at banking regulatais tram all 50 U.S. states, tne Distnet ot Columbia, Guam, 
Puerto Rico, and the U.S. Virgin Islands For more than a century, CSBS has given state supervisori a national forum 
to coordinate bank supervision and develop regulatory policy. State banking departments also regulate a variety of 
non-bank finanoal services providers. This broad supeonsorY porttollo provides state regulators with a unique 
perspective on the range of cyber threats tacing the financial system. 


1 12S ’O" Street N W . Ninth Flooi . Washington DC . JOCK 
wwweaisoni .202-a6-2(i4n . FAX 2tE-296- igjt 
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encompass both depositors' and non-depository financial institutions and have focused on raising 
industry awareness imd understanding and on equipping our members and their agencies with the 
knowledge and tools to supcrsise for cybersecurity risks. 

Raising Industr)’ Awareness 

One of CSBS's highest prionties has been to focus bank executive leadership on cybersecurity. 
To this end. in July 2014 CSBS launched the Executive Leadership on Cybersecurity (ELOC) 
biitiative. EKXI's goal is to raise awareness among community bank e.xccutives and emphasize 
tliat cybersecurity is not just a “back office’' issue but also an executive and board level issue. 

To achieve this goal. ELOC provides comprehensive content higlilighting today’s cybersecurity 
environment the impact on the fuiancial system, tlie importance of CEO and e.xecutive level 
engagement in cybersecurity management and best practices and efforts to better protect against 
these threats. 

The ELOC Initiative includes tailored content to help bank leadership better engage in 
cybersecurity management at titeir bank, fhe initiative uses diversified methods and platfonns 
to ensure content is meaningfully distributed, including a nine week website campaign, talking 
points for state bank supervisors, upcoming webinars for commi.ssioners and deputies, and 
indusUy outreach events. The ELOC webpage has received thoasands of hits.^ and hundreds of 
bank CEOs and senior executives have signed up to receive the ELOC Resource Ciuide', 
illustrating the level of interest in cybersecurity. On December 3. 201 4. the Texas Department of 
Banking, in partnership with several industry groups, kicked off the outreach component of the 
ELOC initiative with a one day Executive Leader.ship on Cybersecurity event in Dallas that drew 
a crowd of over 300 bankers. Deputy Treasury Secretary Sarali Bloom Raskin provided the 
keynote address and set out a 10-question checklisl for bankets focused on cybersecurity 
awareness and preparedness.* * We expect similar events to follow in 2015. 

While the ELOC initiative is naiionw ide in scope, several state banking agencies liave launched 
individual initiatives focused on state-specific needs and priorities. In some cases, those 
initiatives have then been replicated in other states. For example, in 2010, following an increase 
in cyber theft throughout the state, the Texas Department of Banking partnered with the I nited 
.States Secret Service Dallas Field Ofllce to form the Texas Bankets Electronic Crimes Task 
Force. Recognizing the potential financial losses from fraudulent wire and .Automated Clearing 
House (.ACH) transactions, the Task Force developed a list of best practices for reducing the 
risks of Corporate .Account Take Over (C.ATOf attacks and issued minimum standards to Texas 


’ The ELOC Webpage can be found at: httD://wwv».csbs.ore/CvbefSecuritv/PaBes/default.aspx . 

' The Resource Guide Is designed foe CEOs and exeaiKve level leadership so they better understand the cyber 
security risks lacing their institutions and are bener prepared to address the risks. The Resource Guide will be 
available soon. 

* Deputy Secretary Raskin's remarks can be found at: http://www.treasurv.eov/press-center/press- 
rele3se5/Paees/H9711.asox . 

' A CATO attack occurs when cyber thieves gain access to a computer system, steal confidential banking 
Infomtatlon, and impersonate the business to send unauthorized wire and ACH transactions to accounts controlled 
by the thieves. hnp://www.eclf.dgb.texa5.Bov/aboutcato.htm . 


2 


113 


stale-chartered banks. Leveraging the benefits of the program. CSBS. the U.S. Secret Service, 
and llie Financial Sendees Information Sharing and .-knalysis Center (FS-IS.‘\C)* partnered in 
2012^10 issue these standards and best practices to financial institutions nationwide tlirougli 
industry training, webinars, and CSBS's website*. Stale regulators across the country have 
disseminated the CATO standards to tlicir institutions. 

Similarly, the Kentucky Department of Financial Institutions recently formed n Financial 
Cybercrime Task Force’ to identify and address emerging threats facing Kentucky’s financial 
system. The task foa-e focuses on disseminating best practices, guidance, and warnings to the 
financial .services industry. The underlying tlicmes of the task force are educating the industry 
and monitoring cybersecurity events. 

Finally, to better understand cyber risks and challenges, in 2013 the New York Department of 
Financial Services (DFS) conducted a survey of regulated institutions seeking information about 
infonnation security frameworks, corporate governance around cybersecurity. and Ibe nature of 
and cost associated with responding to cyber breaches. Following completion of the survey,'*’ 
New York DFS announced plans to conduct regular cybersecurity preparedness as.sessmenls at 
financial insthulioas as part of the examination process. 

Addressing Cyberseatrity through Examiner Training and Supervision 

In addition to ensuring bank executives are sensitive to growing cyber threats and engaged in 
tlieir iastituiions’ cybersecurity efforts. CSBS lias taken steps to help state regulators enhance 
cybersecurity supervision, fliis effort includes increased information sharing .ind dialogue 
among regulators and a focus on identifying and seeking to meet the training needs of state 
regulators. Since cybersecurity is an operational risk that cuts across several aspects of 
supervision. CSBS is working to provide state regulators with various levels of training. 

CSBS's State Supervisory Processes Cornniittec (SSPC) fonned an ff .\dvisory Group to ensure 
slate banking regulators collaborate, communicate and stay abreast of emerging IT examination 
issues and threats. This group is compri.sed of ff e.xaminers from bankuig departments across 
the country' to discurrs field-level information on emerging FT risk,s. help ensure state superv'isory 
processes are equipped to respond to cyber threats, and discuss training needs, fhe fl’ .Advisory 
Group has proven to be a useful forum for ensuring that states share the latest threat and 
vulnerability data and for helping state regulators keep current on best practices. 


' FS-ISAC is an industry forum for collaboration on critical security threats facing the financial services sector. Their 
webpage can be found at: httDs://www.fsisac.coiti/ . 

’ Press Release announcing the partnership is available at i htlo://www.csbs.orB/news/oress- 
rele3ses/Dr201Z/P3ges/Dr-1207U.3SD«. 

’http://www.csbs.org/ec/cato/Pages/cato.asp*. 

’htto://www.k fi.l<viiqv/iridu5trv/Paees/cvbeicnmtasp«, 

‘“The New Vork State Department of Rnancial Services Report on Cybersecurity In the Banking Sector Is available 
at: http://www.dfs.nv.cov/aboul/Dress2QH/nfl4050S cvber securitv.ndf. 
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In an effort to get a more holistic vie\s of a rapidly changing mdustry, in 2010, CSBS partnered 
with the Money Transmitter Regulators Association” (MTRA) to bring the combmed resources 
of the two associations to bear both in terms of services offered and technologies used. As 
“movers" of money facilitated through increasingly complex technologies, money services 
businesses (MSBs) are especially Miincrable to a broad range of cybersecurity risks. One 
product of this effort was tlie 2012 formation oftlie Multi-State Money Serx’ices Basinesses 
Examination Taskforce (MMET) to coordinate and communicate supervisory processes among 
state regulators. Recognizing the significant cybersecurity tlireats facing their regulated entities, 
the MMET is working towards identifying IT and cybersecurity gaps witliin state supervisory 
approaches to MSB regulation. MTRA held its annual training event for non-bank e.xaminers in 
November of this year, which included examiner awareness of cyber threats and data breaches. 

'IV' work of MTRA. the MMET, the CSBS IT Advisory Group and general feedback from our 
members all pointed to a clear need for state supervisors of bank and non-bank entities to have 
an overv iew of fl' fundamentals. To address this continuing need. CSBS rolled out a pilot IT 
examiner school in October 2014 focused on examiners with limited to no IT experience. The 
course is structured to include ca.se studies and practical exercises, imd the curriculum covets a 
broad riinge of information technology topics including emerging tecimologies. operations 
security and risk management, disaster recovery, business continuity, w ire traasfers. identify 
thcll bank fraud, corporate account takeovers, tliird party service providers, and cybersecurity 
managemenL Based on lire sutvess of this pilot. CSBS expects to conduct multiple sessions in 
2015. 


Benefits and Risks of Emerging Payments 

Slate regulators have undertaken a number of initiatives to ensure that institutions are aware of 
the risks associated witli technological advancements in fmancial services. In particular, the 
rapid pace of payments innovation led CSBS to create an Emerging Payments Task Force 
(EPTF) earlier this year to assess the implications of changes in the payment system. Tlie CSBS 
Emerging Payments Task Force (EPTF) is examining various innovations in payments, from 
proposals for modernizing the traditional payment rails to virtual currencies. As the EPTF looks 
at the changes across the payments landscape, the importance of institutional cyberseemity and 
protecting consumer informatiem and assets are key consideratioits. 

The EPTF held a public hearing in May 2014. During that hearing, members of tite EPTF 
dLscits.sed cybersecurity w itii representatives of mobile payments providers. This discussion 
covered electronic payment systems vulnerabilities fraud as well as industry efforts to develop 
and implement new security mechani.sms such as dynamic Card Verification Values (CVV).'* 


" MTRA Is the professional membership association of state regulators Involvetl In regulating money transmitters 
anrf sellers of traveler's checks, money orders, drafts and other money Instruments. httD://www.mtra web.org/ . 

” A conventional CW is a 3-4 digit number of the back of a credit card. Dynamic CWs change with every 
transaction, making them significantly more difficult to counterfeit. A transcript for this hearing Is available aC 
hnp://www.csbsorg/regulatorv/ep/DQCumenB/EPTF%20Hearing%2 0Panel%202.pdf. 
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The hearing also touched on cybersecurity concerns related to virtual currency activities in light 
of the recent high profile bilcoin thett from tlic now infamous Mt. Gox exchange.'^ 

Infornialion Sharing 

Given the rapidly changing cyber threat environment. CSBS has made obtaining and sharing 
actionable threat intelligence a prioritv. CSBS uses information shiuing forums, intelligence 
community relationships and tlie state supervisory proce.ss to acquire information on potential or 
actiuil cyber threats and attacks, flien. CSBS distributes information as appropriate to state bank 
regulators. State bank regulators have both formal and informal processes to communicate 
information with their supen ised institutions. 

CSBS receives tlireat information from a variety sources: 

• \ principal source for threat information is the Financial Services Information Sharing 
and Analysis Center’* (FS-ISAC). which is an industry Forum for collaboration on critical 
security tlireats facing the financial .services sector. FS-ISAC constantly gathers reliable 
and timely information from financial services providers, commercial security firms, 
federal, stale and local goveniment agencies, law enforcement and olhertrusted 
resoinces. Specifically, the Department of the Treasury (Treasury) and Department of 
Homeland Security (DHS) rely on the FS-ISAC to disseminate critical information to 
financial in.stitutions diuing crises. To support FS-ISAC’s mission and role and to 
improve industry access to timely information, several state banking commissioners, 
including New York. Massachusetts, and Kentucky, have encouraged their regulated 
institutions to join FS-IS.AC. 

• The Financial and Banking Information Infra.slruclure Committee'^ (FBIIC), under 
Treasury, is another prime source of cyber threat inlbmtation. FBIIC, charged with 
improving communication and coordination among state and federal financial regulators, 
plays a crucial role identifying critical infraslnicture assets, potential vulnerabilities, and 
prioritizing their importance to the financial system. CSBS participates in classified 
briefings and maintains secure communications with FBIIC to ensure we receive the 
latest and most sensitive threat alerts. 

• Tlie Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Critical 
Infrastructure Working Group (CCIWO) has proven to be an invaluable information 
sharing forum for CSBS and our members. Within its first year, CCWIG has issued 
several alerts and statements directed towards the industry to outline the risks a.s.socialed 


A transcript of this hearing is avaitable at: 

http://www.csbs.otg/recul3torv/eD/Docum ents/EPrF%2QHearini!;'a0Panel%203.Ddf. 

” FS-ISAC is comprised of finandal institutions, insurance companies, publicly held securibes/brokerage firms, 
utilities and privately held stand alone securities firms. The organization gathers information from financial 
services providers, commenial security firms, federal/national, stale and local government agencies, law 
enforcement and other trusted resources. hnps.7/www.fsisac.com . 

hrtD://www.ifaiic.eov/ . 
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»ilh specific threats imd vulnerabilities, the risk mitigation .steps that in.stitutions are 
expected to take, and additional resources to help mitigate the risks. FFIEC alerts to date 
cover distributed denial of service (DDos)'* and .ATM cash-out attacks”, and tlie 
“Heartbleed"'* and “Shellshock'’’*' vulnerabilities. .Additionally, the FFIEC recently 
issued a statement encouraging financial institutions to join FS-IS.AC and outlining 
expectations for bank management regarding monitoring and maintaining sulficient 
awareness of cybersecurity threats .^” 

• Finally. Ihrougli its FT .Advisory Group, CSBS has tapped the resources of our members 
to obtain information related to incidents, attacks and breaches and ongoing supen'isors’ 
impacts. This collaborative forum has proven to be an excellent venue for states to slwre 
information and learn from each other. 

Once CSBS learns of potential cyber threats and vulnerabilities, the threats are distilled, 
anal>7ed. and prioritized based on the nature of the tlireat or vulnerability. CSBS has an internal 
process to ensure that state bank supervisors willi a need to know are informed of the late.st 
intelligence througli secure channels. The llnal link in the chain is the process state bank 
regulators use to share information with their institutions. It is a high priority for state regulators 
to pass on timely and appropriate threat infonnatioii to their regulated institutions. 

Ohstacles/Leual Restrictions to Information Sharing 

Access to ClasstfieJ Infonnalion 

The classified nature of certain cyber threats can impede the rapid transmission of critical 
infomiation. To facilitale timely information sharing, it is important that state regulators have a 
means of obtaining the appropriate .security clearances to receive the latest and most critical 
threat alerts. Currently, state banking commi.ssioners do not have access to the same level of 
threat information as their federal counterparts. As a result, our members are hampea'd in their 
ability to evaluate the .serioasne.ss of an emerging cyber threat and w hether the threat requires 
rapid action to inform and protect their regulated entities. 

DBS has a formal process for issuing federal government employees and contractors security 
clearances. However, OHS evaluates state government personnel on a case-by-case basis, which 


The FFIEC Joint Statement on DDos attacks Is available at.' 
h;io!//www.ffiec.gov/Dress/PDf/FFIEC%2QDDoSFt20Joinl%20Staienient.odf . 

” The FFIEC Joint Statement on ATM cash-out attacks Is available att 
hno://www.Hiecgov/Dfess/PDF/FFIEr>aOArM%20Cash-Out'hi20Statement.pdt . 

" The OpenSSl "Heartbleed” Vulnerability Alert is available at; 
hltii'//www.ffiec.eov/ofess/PDF/Ot)enSSlAlertOA10».fldi . 

” The Bourne-Again Shell (Bash) 'Shellshock' Vulnerability Alert is available at: 
htlp://www.ffiec.eQv/pressyPDF/FFIEC JointStatemenl BASH Shellshock Vutnetabiliiv.cdf . 

" Cyber security Threat and Vulnerability Monitoring and Sharing Statement Is available at; 
hitp://www.fnec.gov/Dress/PDF/FFIEC Cvfaerseciirltv Statemeni.pdf . 
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has proven lo be a barrier to slate regulators' ability to obtain timely inl'omiation about eybei 
iJireaLs. Congressional support > through oversight and. potentially. legLsIation -- for state 
regulators’ efi'ons to seek a more formalized, streiunlined prix:e.s.s for .state government personnel 
to receive security clearances could help us address this gap. 

Barrtera to Incident Reporting 

Separately, financial iastilulions may be wary to report details of breaches and intru.sions to 
avoid incurring legal liability for disclosing consumer personal inl'omiation. Policy makers 
should evaluate tlie allocation of risks in such circumstances to ensure tliat federal and state laws 
incentivize. rather than discourage, the appropriate dissemination of credible cyber threats. 

Question 2; "Second, please describe n hat coordination and interaction CSBS and its 
members have w ith federal flnimcial agencies, as well as law enforcement, DHS, and the 
intelligence community. How would legislative proposals improv e or impede your 
coordination and relationships with other government agencies?” 

Coordination KlTorts 


Active coordination betw'een state and federal regulators and law enforcement is essential to 
mitigating evolving cyber threats. Shite regulators coordinate through the following fora and 
witli tlie following law enforcement agencies: the Financial Stability Oversight Council (FSOC), 
the FFIEC. and U.S. Secret Service and the Federal Biaeau of Investigation (FBI). 

In response to the Fuiancial crisis. Congress cteated the FS(X,’ to comprehensively monitor and 
mitigate threats to the financial system as well as ensure greater coordination among financial 
regulators. Congress affirmed the importance of state regulators in the financial regulatory 
stmcture by including a stale banking regulator as a non-voting member of the FS(K’.*' 
Recognizing the threat cyber attacks pose to the .stability of our financial system. FSOC held a 
public meeting in December 2013 where representatives from the public and private sector gave 
presentations on cyber security.” ITie meeting touched upon the overall importance of a private- 
public partnership with respect to cybcisecurity. 

As a voting member of the FFIEC, the State Liaison Committee (SLC) coordinates with other 
FFIEC member agencies on cybersecurity related supervisory matters. The FFIEC's CCIWG 
enhances communication among FFIEC members and builds on e.xisting efforts lo slrengtlicn the 
activities of other interagency and private sector groups, such as the FFIEC's Infomiation 
Technology Subcommittee of tlie Taskforce on Supervision. FBIIC, Financial Services Sector 
Coordinating Council (FSSCC)*’ and FS-IS.AC. Ihc CCIWG members have been coordinating 


”12 U.S.C. § S321|b||2||D). In addition to a state banking regulator, the FSOC includes a stale insurance and a 
state secun'ties regulator as non-voting members. 

” The minutes horn the meeting are available at- http://www.treasury.gov/initialives/l 50 c/council- 
meetings/Documents/Dececmber1k209%202013.pdf. 

” The Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security 
(FSSCC), established In 2002, is the sector coordinator for Financial Services for the protection of critical 
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among themselves and with intelligence, law enlorccment, DHS and indastrv ofltcials to share 
accurate and timely threat infonnation. and to assist institutions in panecting themselves and 
their customers from the growing risk posed by cyber threats, lliese activities are a part of a 
broader FFIFX’ cyhersecurity awareness initiative. 

Furthermore. CSBS’s coordination efl'orts e.vtend beyond regulatory bodies to include law 
enfoa'ement agencies. As detailed above. CSBS has partnered with the U.S. Secret Service to 
bring the C.^TO Initiative to a nationwide platform. CSBS hopes to build olT this proven model, 
and partner with law enforcement agencies in the future to both develop frameworks that are 
responsive to emerging threais and di.sseminate the infomiation throughout the industry. 

I.enislalive Proposals 

M Congress considers legislative proposals rebated to cybersecurity. CSBS and its members 
believe it is important to integrate slate regulators into any proposed information sharing or 
regulatory coordination proposals. Stale banking commissioners, who cliarter 75% of all FDIC- 
insured institutions and have supervisory authority fora diverse array of iwn-bank tinancial 
providers, bring a unique perspective informed by this broader regulatory portfolio and by our 
members' more locally-fociLscd approach. Building on fora and models such as FFIFC, FStX', 
and FBIIC. which institutionalii'e slate participation in regulatory and supervisory bodies, is 
critical to ensuring stales meaningfully participate in decLsions that aflccl the fmancial sector. 

.\dditionally. CSBS supports legislative initiatives that reduce barriers to the transmission of 
critical llireal information and promote infomiation sharing As discussed above. Congress 
should consider legislative solutions to establish a process by which state government personnel 
can obtain clearances from DIIS. 

Moreover, fmancial institutions, both bank and non-bank, should be able to report details of 
cyber breaches without fear of legal liability . While there is a relatively mature regime regarding 
breach reporting for banks, liability concerns persist. Moreover, there is not a commensurate 
legal regime for breaches against non-bank entities. Federal and state latvs should incentivize, 
rather than discourage, the w idc di$.setnination of credible cyber threats experienced by both 
hanks and non-banks. 

Question 3: “F.arlirr this year the FFIGC iinnounced that it is planning ryberserurity and 
risk-mitigation assessments to help smaller institutions address ryberserurity gaps. As 
members of the FFIFC please describe this effort and what particular considerations or 
risks may exist at institutions of xarying sizes" 

C’xbersecuritvand Risk-Mitigation .Assessments 


Tlic FFIEC members recently piloted a cybersecurity assessment examination work program 
(Cyhersecurity .-Vssessment) designed for federal and state regulators to assess the vulnerability 


infrastructure, focused on operational risks. Their homepajecan be found at; 
hl'P//wwW,fW.9t|t/f>^rc/drfflqH.isp. 
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ol'coniimmity institutions to c\ter threats and their preparedness to mitigate cyber risks. Tlie 
Cybersecurity Assessment builds upon key aspects of e.sisting supervisoiy e.'ipeetations 
addressed in the FFIEC IT Handbook.*^ The objectives of the work program include: 

• Assess the complexity of an iastitutiun's operating environment, including the types of 
communication connections and payments itiitiated. as well as how the imtitution 
manages its information technology products and services. 

• .Assess an institution's current practices and overall cybersecurity preparedness, w itii a 
focas on the following key areas: 

o Risk management and oversight 
o Threat intelligence and collaboration 
o Cybersecurity controls 
o E.xtemal dependency management 
o Cyber incident management and resilience 

The FFIEC released general observations from the pilot assessment program on November 3.^' 
The summary provides an overview of the range of cybersecurity risks that are common to 
community hiinks and the risk management practices that biuiks arc asing to mitigate those risks. 
It also olTets practical steps that community banLs can take to strengthen their cybersecurity 
preparedness, and questions that bank management and boards of directors can consider to atvsess 
tlieir banks' cybersecurity risk management. 

Tlie Cybeisecurity .Assessment will help FFIEC ntembers enltance the effectiveness of 
cybersecurity-related supervisory programs, guidance and examiner training. It will also be 
henefieial in identifying actions that can strengthen the overall level of preparedness of members 
and their ability to address evolving and increasing cyber tlireals. 

Particular Considerations and Risks at Institutions of Varying Sizes 

Cyber attacks are a risk for institutions of all sizes. I^ge banks have a worldwide presence and 
higlt public profiles, and are therefore subject to a greater number of attacks. .As a result, they 
need to e.xpend considerable resources to respond to the volume and sophistication of these 
attacks. Smaller financial institutions generally do not have the same level of resources, which is 
one reason why the FFIEC has focused on prov iding resources and tools for community bankers 
to assess and mitigate potential vulnerabilities. 

.A key tlicme from the Cybersecurity Assessment and recent breaches is the increasing 
iitterconnectedness and interdependencies between banks and other parties, including third-party 
service providers (TSPs). In a highly interconnected environment, each connection can 
introduce a potential v ulnerability to a cyber attack. The Cvbersecurity .Assessment revealed that 
smaller institutions tend to rely more heavily on service providers to support their business 
operations. 'Ihus. FFTEC members have emphasized that banks should carefully monitor the 


** The FFIEC IT Handbook Is available at: htui://lthandbook.ffiec.rov/ii-bool(let5.asoa . 
'' The general observations are available at: 

htlo://www ffiec.tov/Dress/PDF/FFIEC Cvbersecurilv Assessment Ohservations.odf . 
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connection points between their systems and third parties. Robust s^rervisory process of TSPs 
would benefit institutions - particularly community banks - and help improve the resiliency of 
the financial system. 


CSBS and its members share your concerns on cybersecurity and are committed to working 
closely with the federal banking and government agencies, law enforcement and the industry to 
strengthen the resiliency of our financial service sector against cyber attadcs. Ensurii^ state 
regulators have the appropriate level of security clearance provides an important tool in 
improving state regulators’ abihty to coordinate with our federal counterparts and share timely 
and actionable “need to know” infonnation with our regulated institutions. We welcome 
Congress’s continued focus on cybersecurity and financial system and look forward to woiking 
with you and your staff on these issues. 

Sincerely, 






John W. Ryan 


President & CEO 
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National Aisociatlon of FodtrsI Credit Unions I wwin-nafctj org 


Carri« R. Hunt 
Senior V»ce President of Government Affairs 
and General Counsel 


Decanber9.20l4 

The Honoroblc Tint Johnson 
Chairman 

Commiltce on Banking, Housing 
And Urban Affairs 
United States Senate 
Washington, D.C. 20510 


The Honombk Mike Cnpo 
Ranking Member 
Comminoe on Banking. Haising 
W)d Urban AfCitis 
Unrted States Senate 
Washington. n.C. 205(0 


Re: Cybeiiecurity bihI Data Sceuiity 

Dear Chairmati Johnson and Ranking Member Cropo: 

On behalf of the Naiionai Associilkm of Federal Credtl Unioas (NAFCU), the only trade atsocialion 
exclusively representing our nation's federally ohariered credit unirms, I mte in conjuuctiofl Nvith 
tomorrow's hwag. "C^brntciifity: Eiitmdn^ CcordinatloM fo PwtM Ihc Fowtcial !ifdcr.‘‘ Credit 
unions serve over 9tt milikm members across the country and we ipjNVcraie your interest in figldiiig 
against cyber Ihreels in the fmancial services sector. 

In commenting on the importance of cybersecurity just yesterday, NalkmaJ Credit Unioo Administnition 
Chairman De^ie Milz (lit credit unions will Hiid an active partner with NCUA when It comes to 
cybersecurity and protecting flRancial data. While credit wiioiu and other financttl it»ti(uiions have been 
subject to standards on data security since the passage of the Grmm-UxfhBlfhv Act, including having 
federal rcgulaiorri (o oversee and wort with (hem on lliesc siandaids, retaileni and meichanis are not Iwtd 
to iJk same high slandanls of data seoirily. As Clnirman Ma(^ also noted in her comments. “Retailers 
should be held to the same high data protection standards. It is lime to end (he double standard.” 
NAFCU agrees and is hopeful (hat Congress will also rake legislative action to address ongoing data 
security breaches at nur lulion's retailers. 

NAFCU lonlioues tn reemnmad that Congress make Iho follnwiDg priorities in any IcgisUtion dealing 
with cybmeoirity and data security: 

• Payoirnl of Breach Coats hy Breached KiiUties; NAFflU asks that credit unioft expenditures 
for breaches resuiting (jtMfl card use be reduced. A reasoruble bmI equitable \vay of addressing 
this concern woakl be to require entities to he accountable for costs of ibta breuches that result on 
their end, especially \vhcn their osvn negligoxe is to hiamc. 

• National Standards for Sarekeepiug loformalion: II » crriica) (hit tensilivc peramial 
infonnalion be safeguarded at all stages of Iraasmission. Under Onmm'Uach-Rlilcy. cicdil 
unions and other (inonclal institutions aic required to meet certain ctitcria for safekeeping 
consumers* persowd information. Unfodunately, there is no comprelicnsivc regulatory sttodure 
akin to Gnimm>Lc8cli-Blilcy tliat covers retailers, merchants and others who collect and hold 
sensilive information NAFCU strongly supports the passage of legislation requiring any entity 
rcaponsibk for tiie storage of consuma data to meet standards similar to those imposed nn 
rtnancial institutions und^ the Gntmt-Lcach-BlikyAa. 


NAFCU I Ibw OvKl CoretectM to Education, Advocacy & Advancemenl 
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• Uau Scciiritjr Policy Dlscliuure: Many anaaineri are nnawaie of Ik riska they are eapoacd lo 
vvbeii Iky piovidc Ikk personal iiiformalion. NAFCU kkvea llils problem can be allevialcd 
by simply requiring metebanls io posi Ihcir data securily policies at lire poiiU of sale if they lake 
sensilhw financial ilala. Such a disclosare requiremcnl would come at lillle or no cost lo Ike 
luctctuml bill would provide an iinporlani beuefil to Ihc public at large. 

a Notificalioii of llie Account Servicer: Theaccountseivicetoroivnerisinlkuniqoeposiliwiof 
being able to monitor for suspicious activity and prevent frauduIciU transaclions before they 
oecur. NAFCU believes Ihal it would make sense lo include enlllies such as financial Instiliitioiis 
on the list of those to be informed of any compromised petsonally identiflable information when 
associated aecounis are involved. 

• Disclnaure of Brcacbcd Cniily: NAFCU beheves that consumers should have the right lo know 
which business entities havo been breached. We urge Congress to mandate die disclosure of 
identities of companies and merchants whose data sysicma liavc been violated so coosumcra are 
aware of Ik ones that place their petsoiul infonnalion at risk. 

• Cnforccmeiil of Prahibitlon on Data Kclealion: NAFCU klieves it is imperative to address 
tk violalion of existing agreanents and law by mciebnils and lelailers wlw retain payuicni cud 
informatioji elecironically. Many aiu'ties do mil respect this prohibhiou and store sensitive 
pemonal data in their systems, ivhich can k breached easily in many cases. 

• Biinlen of Proof In Dain Breach Casta: In line widi Ik respoiisibilily for making consumna 
whole aDer diey are banned by a data breach, NAFCU klieves Ihal die evidenliaiy buiden of 
proving a lack of fault should rest with Ik mercham or reuilcr who inconcd tk breach. These 
pailies should have die duly lo demonsliale that they look all necessary prccaulions to guaid 
consumeia' pcrsoiwl iiifotmatioii but snstained a violalion nonetheless. Tk hnv is cnnuilly 
vague DO this issue, and NAFCU asks that this burden of proof k olarifled in statute. 

Again, thank you for ynu interest in enhancing tk security of tk Gmniclal sector and bolding this 
impotunt hearing. NAFCU urges Congress lo eeme logetkr io a bipartisan way and put forward 
legislalive rccommendaliims lo hold tctailcia to tk same slrkl standards of cyhetaccuiity and data 
security ihal fimmeial inslilulioiK must already adhere lo. 

On hchalf of our nation's credit unions and ikir 98 million members we dank you for yuiit allenllon lo 
Ihh nnpoiliinl matter. If my staff or I um k of nssUlance lo you, or if yon lave any questions 
rogirding this issue, please feel free to conlacl myself, or NAFCU’s Vice Presideat of Legislalive 
Affairs, Bred Thakr, al (7(0) 842-2204. 



C^ R. Hunt 


cc: Members of Ik Senate Banking Commillcc 
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STATEMENT SUBMITTED BY THE SECURITIES INDUSTRY AND 
FINANCIAL MARKETS ASSOCIATION 



lnmt(d w Amma 


DeccmlK-r 10. 2014 


Slatemcnl ol’ltii' Scnirilies Industry and Financial .Markets .Vssocialiun 
.Senate ( unimittee un Hankins. Iluusins. and I'rban Deveiopinent 
Heanng Emitted “Cyherteainryi Enhancing Coordination to Protect the Financial Sector 

In today's digital world, both the public and private sectors miest improve their ability to 
defend against a diverse set of cyber threats and be proactive in protecting their partners and 
clients in addition to their data and networks from thclf. disruption nr destruction. From 
criminals .seeking rinancial gain In nation states committing corporate espionage or seeking to 
dislocate markets and destroy eontldenee. cyber threat actors are becoming mote sophisticated, 
making cybcrsecurity an area of risk that must be actively managed by Ittnis siniihu to otheu- 
areas of ask. I1ie destruction of Financial data or the disruption of our capital markets caused by 
a successful cyber attack would have a ripple elVect across the economy and acToss the globe. In 
that light President Obama has slated that the “cyber threat is one of the most serious economic 
and national security challenges we face as a nation" and that ".America's economic prosperity in 
the 21st century will depend on cyhersecurity.” SIF M.A' .and its member firms are leaders in 
developing and participating in tlie c-ritical partnership between tlic government and the financial 

' Tlip Setoinnw IndiHltr «nd Fjnancitl A>v<R«M>a (8IPMA> hnnf? t'tjpUiPr iht* in|pr*«u r»f bundnsJi of 

fniuitiei bankh aidavviK tnaiia^m SIFM,V» taHsion » itiHuyiiotla finarrjal industry, uivnrtoropportiinily. 
ivipiialformaUcKt. jobcTKiiioa and erondme growth buildin? trust and osufidnuT m tbefinMiaal nurkrta SIFNM 
ivithoSrr^inNpwYurksnd Wafliinctm. DC.. » UipU.S rpfion&l memb^ i<f theObbtl rmamial MukeU A»<odatfou 
^OFkiO. For tnoTP tidonnaUoit. vwt httuV/w w* m 
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scn ices industn and appreciate Ihe inleresi shown by this Committee and otheis in evaluating 
our collective efforts. 

SIFM.’\ has rccently undertaken a live part elTort to address cybersecurity threats and related 
risks to its membership and the llnancial services industry at large. Tlie ultimate goal of tliis 
effort is to better identify the vulnerabilities lor a cyber altacL improve the industry's 
cybersecurity protections and prepare individual firms and the bntader sector to respond to a 
cyber attack, thereby enhancing protections for the capital markets and tlic millions of .Americans 
who lusc financial senices every day. .More than 30 firms from across the industry are engaged in 
this work to ensure tlie unique intere.sts and needs of institutions of all shapes and sizes are 
addressed 

Standards 

Efl'eclive cybersecurity regulatory guidance is critical Mh for the financial services sector and 
the other critical infrastructure sectors we rely on. SIFVl.A commends the various agencies for 
conducting a review of their cybersecurity policies, regulations, and guidance and conducting 
surveys and sweeps of Ihe firms that they cover with the goal of strengthening tlie defease and 
response of firms to cyber attacks and Iretter understanding the investments that firms have 
already made to mitigate this risk. In addition to tlie reviews being conducted, we suggest via 
our recently published Principles for F,ll'ective Cybersecurity Regulatory Guidance^ that 
regulations should be harmonized for greater effectiveness. Indastry looks to the government to 
help identify uniform standards, promote accountability across the entire critical infrastructure, 
and provide access to es.sential infonnation. Likewise, govemnieni depends upon industry^ to 

* Piindples for Effective Cybersecurity Regulatory GuidaiKe: 
htti]://www,MfrT'a.ofg/is>uet/i|em.a»«>id=a58W51691 
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implemcnl regulalion or guidance and collaborate on identifving risLs and providing cflcclive 
solutioas. The guiding principles are designed to encourage regulalion that facilitates a 
collaborative relationship and protects tlie fioancial industrv' for the overal I security of investors 
and llie nation's economy and SIFMA urges policymakers to consider how best to incorporate 
the principles into their respective regulatory' initialives. 

Improving Resiliency in (he Markets 

We recently assembled a working group to develop a diagnostic on the U.S. equity and Treasury 
markets. The working group brouglil together a broad collection of market participants to 
identify risks and areas of concern around processes and technology. .Ailer mapping process 
flows within the markets, a workshop was held during which a set of 10 diverse cyher-risk 
scenarios were applied to the markets and a number of potential risks were idenlilied as a result. 
Ihese results will be sliared with the govemrnenl artd otlier industry stakeholders in order to 
jointly identify potential mitigating actions to address the identified risks and further improve 
equity and treasury market structure. 

Incident Response 

SIFMA's members refined the industry's crisis incident response plans to ensure that it is well 
tested and recognizes llie appropriate role of our government partners. Building off the after- 
action reports and lessons learned from the cyber c.vercisc "Quantum Dawn 2" and Superslorm 
Sandy. SIFMA developed and documented the protocols and process to efllciently create an 
industry consensus recommendation in respun.se to a systemic incident within the Equity and 
Fi.xed Income markets. To enable this process. SIFM.A created two new market response 
committees covering the markeLs above, w hich will facilitate the proces-s in the event of a cuisis. 
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On October 24, 2014, SIF.MA conducted a test of the process with both aimmittees. 

Participation from firms, exchanges, financial utilities and regulators was extensive and an after 
action from the exercise will likely be available at the end of December This year, SIFMA also 
launched a multi-faceted approach to engaging the government in order to facilitate a common 
lutderstanding of how the capital markets will be supported in the event of an attack and what 
mechanisms and capabilities are available fur defending the markets, and in turn investors, while 
re-establishing public confidence in the recovery. 

Insider Threul 

Building upon a proactive approach to cybersecurity, SD-MA has developed a set of best 
practices to assist firms in the development of their own insider threat mitigation programs. This 
best practices guide provides conte.vt. considemtiuns, and a method for implementation of an 
insider threat program that aligns with the NIST Cybcrsecurity Framework to facilitate 
integralion into fums' eybersecurity programs and allow synergies to be leveraged as many risks 
overlap. .\s we have learned from recent events, the threat of breach and unauthorized 
disclosure can appear from both e.xtemal and internal sources imd both need to be adively 
addres.scd and monitored. 

Information Sharing 

SIFMA has worked to deepen our members' engagement with the Financial Services 
Infomiation Sharing and .Analysis Center (FS-IS.AC) hy promoting general membership and 
participation in its programs. The FS-IS.AC is the global financial industry's go-to resource for 
cyber and physical threat intelligence and a key operational component of the sector's defense. 

Its role is so central that on November.! 2014. the Federal Financial Institutions Examination 
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Council (FFIEC) recommended that financial insiilulioat should join seclor-wide informaliun 
sharing organizations like the FS-ISAC. The FFIFC noted that "participating m information- 
sharing foiums is an important element of mi institution's risk management processes imd its 
ability to identify’, respond to. and mitigate cybersecurity threats and incidents.” In line with this 
nx'ommendation. SIFM A has funded a one year membership for 1 81 SIFM.A members in the 
small firm category in order to achieve a near 100% incmbeRhip overlap with FS-ISAC. In 
addition to promoting information sharing, we have also sought wavs to increase the level of 
cyber defense and readiness for small finns, by publishing a cybersecurity guidebook informed 
by best practices at larger hustitutions and goveniment partners centered on tlie NIST 
Cybersecurity Framework. Looking into the future. SIFM.N and its members are supportive in 
lioth the development and implementation of Soltra Edge, a .software solution from DTCC and 
FS-ISAC that is designed to facilitate the collection of cyber Uireat intelligence from various 
sources, convert it into im industry standard language and provide timely information on which 
users can decide to take action to better protect their company. 

Furthermore, there Ls a need for Congress to engage more productively in this elTort to improve 
our eybcisecurity and tlie best place to start Ls by the Senate taking up and passing S. 2588. the 
Cybcrsecurity Infonnation Sharing .Act (CISA) of 2014, which received large bipartisan support 
in the Senate Intelligence Committee this pa.sl July. The threat our economy faces from cyber 
attacks is real and Congressional action will significantly improve information sharing crucial to 
improving our cyber dcfen.ses. SIFM.A believes tlic Committee has taken a balanced approach 
which will help the financial services industry to better protect our systems and data and the 
privacy of our customers. Congress should move swiftly. We cannot wait for the next attack to 
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legislate, but must remain vigilant -.md proactive and provide the private sector with laws that 
will enable us to better protect ourselves and collaborate with our government partners. 

Conclusion 

Ncitlicr the industrv' nor the government can prevent or prepare for evher threats on their own. 
S1FM.\ believes that a djnamic and collaborative partnership between the industry and 
government is the most elTective path forward to accomplishing this goal. .Among other areas for 
collaboration, government participation in industry exercises is critical to gain a better 
understanding of our collective capabilities in the event of a crisis. For Quantum Dawn i (QD.1), 
we are currently planning for a major industry-wide exercise in September 2015. QM will build 
upon the brcadtli and success of QD2 and continue to foais on an attack on the US equity market 
that has a systemic impact. The exercise will include participants from the public and private 
sector and focus on how we collaborate during a ensis to maintain operations in the face of a 
destructive data attack. 

.Anotlier area where collaboration is critically important surrounds elTorts to enhance regulatory 
harmonization bey ond existing requirements to improve the protection of the financial sector 
The benefits of this partnership approach led to tlie development of tlie NIST Cybersecurity 
Framework, which SIFM.A is actively promoting w itliin its membership and encourages 
regulators to use as a universal structure that can be leveraged as a starting point for creating a 
unified approach to cybersecurity. 

.ks an industry, we have made cybersecurity a top priority. SIFM.A has brought togctlier experts 
from across tite public and private sedors to better understand the risks involved in a cyber 
attack and develop best practices to be better prepared to thwart an attack, hut to be elTective, we 
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must work closely wilh ihe federal govcmmenl lo slrenglhcn our partnership, protect our 
economy and the millions of .Americans who place their confidence in the financial markets each 
and every dav. 
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STATEMENT SUBMITTED BY THE INDEPENDENT COMMUNITY 
BAN KE RS OF AMERICA 



Utcclilbir 111,2014 


Cvbcrsccurity: The Connniinity 
Bank Perspective 


BaNKIRS I'/AMfRICA* 


( In behalf of the more than 6.500 communitv banks rq)r»entcd hy the Independent Community Hankers 
of 4\mcric3 (ICBAk thank sou for comenmg today's Iicarmg "C'ybcnvcuriiy- Fohancing Coordinaliim to 
fVolecI the Ftnancial Sector." We ss elcomc the opportunity to share the community bank perspective on 
thiK critical dynamic ksuc 

The ftnancia) services industry and communily banks are on IIk; front lines of defending against 
cs'benccurtty threats and take their role in securing data and pe^onal informatiun very scrioualy 
CommunilY hanks are strong guardians of the security and conrideniiality of customer int'ormation as a 
matter of good bu.stnc.s.s pncticc as well a.s legal and regulatory requirements. Safeguarding customer 
mfomution » central to numUining puMic Imsl and the key Id long>lam customer retentxm M 
Congress, tavY cnTorccmenl and the regulatory agencies continue to address the real and present danger 
cybercnminals pose to the financial system, vveask that they keep in mind the following policy principles 
and objectives of the community banking industry'; 

folicymaktrs Must Kecotmi/c EsBbm? Data Security Mandates and tlosc Remaining Gaps Any new 
legislation, framcwoiks. or standards poltcymakers develop should first rccogniA: tlie existing standards 
.ind praclicea community banks observ e to [miteci the conlidcnlialily and mlegrity of customer personal 
data as well as to mitigate cyW threab and then focus on closing remaining gaps. The National Institute 
for Standards and Technology (NIST) frarocwoii. for cutnple. and the 2l)l3 Executive Drda 
implementing i1. were dev clopod to aeatc i baseline to reduce cyber risk to all critical infraMructiuc 
sectors, and the Gramm-luach^Biiley AcL vets lorlli rigorous and elfectivc data security protocols for the 
fmancial sector. It is important to extend comparable standards to .\H critical intraslnidunp sectors, 
inciiiding the commercial facilities sector which tncmporales the retail industry and other potcmlially 
viibicrablc entities. 

Threat Infonnation Sharing is Critical. ICBA supports the sharing of advanced threat and attack data 
between federal agencies and the jppropnale (inanaal .sector parbeipanLs. ioctudmg community banks 
Community banks iviy cm this critical infonnation to help them manage their cy ba threats and protect 
their systeius. K'BA supports community banks* imolvcment with services such as the Financial Services 
Infonnation Sharing and .Analysis Center (FS-ISAC). The FS*ISAC is a non*profjt. information-sharing 
fonim evtahlished by ftnaitcul services industry partici|»nLs to facilitate the public and private sectors' 
sharing of physical and cytenccuiily threat and vulnerability information. ICBA also supports FSdS.AC 
cQ'orU to lake complex threat informalinn across ammiunities. people and dev ices and analyve. prionli/e. 
and route it to users in real-time as long as those etTortv incoiporatc communilv banks and such 
advancements an; cost efTcctivc for than. 

.Addiltonaily. h DA supports the recent creation of the Retail Cyba Intelligence Sharmg Center (R-CISC) 
and supports the cstablKhment of robuM information sharing protoooU between the two sector ISAI.^. 
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Rgguljlnn Sbouki Do Ntore lo Conirol ITiird Party RkL ('orooiunih banks significantly nrly on third 
partis, such as data processing companies and sohwan: \7ndore. to suppoil their s\^ems and business 
activities. While community banks arc diligent in their management of third parties, mitigating 
sophisticaled cyber threats to these third parties, especially when they have connections to other 
instHulions and servicers can be challenging. Regulalon should enhance their o^ ersighl of these third 
pallia in order lo mitigate the risb associated with interconncclivity and share thrat and otha 
applicable infomulion with community bantu on a timely basis. 

Posilion on Recent Data Breactics 

Community bankers and thtnrcusloroers are deeply alarmed by (he wkle*scale data breache at national 
retail chains and other entitia. fhae lar-feaching and costly breaches have (be potential lo jeopardize 
consumers' financial integrity and confidence in the payments system. 

To mitigate this risk. ICBA calls on polievnukers to consider the following; 

The Pirt\' llm boirs i Bnacli Should k Liable lor ,^5socialed Cosb II is crilial Out the p^y Ihil 
incurs > dnis hieich. nhethcr il be a relailer, flnancial institution, data processor or other entity, bear 
responsibility for the related thud losses and costs of mitigation. Allocating rinanoial responsibility with 
the party that is best positioned to secure consumer data will provide a strong incenthe for it to do sn 
effoctnely. .\dditianally. aligning incentives lo maximize data security by all patties that process and or 
store consumer data will male the pasroents system stronger os<er time. Payments rules should mandate 
merebant security proMsimu to turther protect customer data, paiticubriy debit and aedit card 
inJ'onnatioo. 

E.stend Gtamm-l.eacb-Blilev .Act-Lile Standards. Under current bw. retailers and other parlirs that 
process or store consumer financial data are not subject to the same federal data security standards and 
oversight as financbl mslitulions. Securing financial data at financial institutions is of limited value if it 
romams e.xposed at the pointrof^ale and other proa'ssing points. ICB.A supports subjecting Ihese entities 
to Granun-Leach-Blilcy .Act-like standards witli similar enforcement. It is equally impoitant that these 
entitia provide uniform and timely notifieation to banks concerning the nature and scope of any breach 
when bank customa infonnation may have been compromised. 

A .S'alional Data Security Brach and N'otification Sbndard is Vital. Most states base enacted laws w ith 
differing requirements for protecting customer information and giving notice in the event of a dab breach. 
This patchwork of state laws only itKreases burdens and costs, fosters confusion, and ultimalely is 
detrimenbl to costomers. ICBA bclievn customer notification is appropriate to let customers bkc steps 
to protect themsehes from identrty theft or fraud resulting from dab breaches. However, it is important 
that notification requircrnoits allow financbl institutions and otliers flesihility lo determine when notice 
IS apptoprbic, Overly broad notification requiremenLs defcal the purpose of calling attention lo the risks 
issodalcd willi a particular breach. Federal banking agencies should set the sbndard for financial 
institutions, as they currently do. 

Thank you again for the opportunity to submit this sblemeni for the record. ICBA is committed lo 
working with this committee to address cyber tlireak and dab hrcaclies Imught by criminal enterprises. 


Ow \\is5ic»i Coiittrninily Bunb, 


1615LSltee1NW, Suite 'JOD, Washington, DC 21)036 • 202-659-8111 • las 202-6.S9-9216 ■ www.icba.ofg 
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Protecting Merchant Point of Sale Systems during the Holiday Season 


November 7. 2014 


Executive S'limniar}’ 

This advisory was prepared in collaboration with the Financial Services Information Sharing and Analysis 
Center (FS-lSAC), the United States Secret Service (USSS), and the Retail Cyber intelligence Sharing 
Center IR-CiSC), and is directed towards retailers or companies which are processing financial 
transactions and managing customer personaNy identifiable information (Pll) during the upcoming 
holiday season and beyond. This advisory serves to provide information on and recommends possible 
mitigations for common cyber exploitation tactics, techniques and procedures (TTPs) consistently and 
successfully leveraged by attackers in the past year. Many of these TTPs have been observed by the FS- 
ISAC, through its members, and identified in Secret Service investigations. 

The TTPs discussed in this report include: 

• Exploiting commeraal application vulnerabilities 

• Unauthorized access via remote access 

• Email phishing 

• Unsafe web browsing from computer systems used to collect, process, store or transmit 
customer information 

This document provides recommended security controls in these four commonly observed areas to 
protect customer data and also provides recommendations to smaller merchants who should work with 
their vendors to implement these recommendations (see Appendix A). 

This advisory is not intended to be a robust, all-inclusive list of procedures as attackers will modify TTPs 
depending upon the target’s network and vulnerabilities. This report does not contain detailed 
Information about memory scraping Point of Sale (PoS) malware that has been used in recent high- 
profile data breaches. Seaet Service investigations of many of the recent PoS data breaches have 
identified customized malware only being used ofKe per target. A list of observed PoS malware families 
IS provided in Appendix 8. 

These recommendations should be analyzed by cyber threat analysts and fraud investigation teams 
based on their operational requirements. The information contained in this advisory does not augment, 
replace or supersede requirements in the Payment Card Industry Data Security Standard (PCI DSS); 
however, the PCI DSS version 3.0 recommendations are cited when appropriate.' 


^ for the full PQ DSSv. 3 O^uKle plMW s«« hUp$://www (>cisecuritYSUndar<KorK/documentVPO OSS_v3 pdf 
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Appitaltliffl SeoaH^ 

During the past year attackers have continued to use brute force password attacks against network 
assets such as webservers or externally facing databases. According to a 2013 survey conducted by the 
security firm Alert Logic, brute force attacks itKreased from 30 to 44 percent among its customers.’ 


Once inside a network, hackers usually map the network to determine the most valuable data to steal. 
One method of connecting to the network devices storing that data is through software that is 
permitted to run on the network and connect to external destinations controlled by the hacker. 
Typically, these applications are allowed full outbound access through a firewall or proxy service 
facilitating the theft of that data. 


There is a strong possibility that attackers will leverage highly publicized vulnerabilities such as 
Heartbleed. Shellshock (Bash), and POODLE to access a network. 

Recomniendatinns 

• Perform Open Web Application Security Project (OWASP) audits on any web applications.' 

• Implement all recommended vendor patches and test to ensure the patch is successfully 
Integrated. 

• Enforce up-to-date anti-virus (AV) signatures, but do not only rely on AV signatures alone. 

• Test databases and web login portals against brute force password attacks. 

t Monitor firewalls for outbound traffic to unknown or suspicious IP addresses and domains. 

• Secure webservers that contain customer data. These Include payment gateways and e- 
commerce applications. 

• Ensure that no unauthorized code has been introduced to the production environment Run a 
vulnerability scan against your approved applications. If any software is vulnerable, update and 
patch immediately. Re-run the vulnerability scan whenever new or updated appkcations are 
introduced 


Ktrinote Access Controls 

Criminals have successfully exploited databases and payment processing systems with remote access 
tools. There is a high probability that employees who have remote access to the company's network will 
be targeted especially if the attacker can steal virtual private network (VPN) logon credentials and 
leverage them to log in durtng normal business hours. Por example, in August 2014, a health care 
provider's VPN credentials were stolen and hackers used these credentials to steal millions of patient's 
social security numbers.* * 


* http-y/go alertlogiccom/rl/alertlogicl/inuges/ alert -loglc-$prlng-Z014-CSR-pages-04-21- 

14.pitf?ltlkt.Ullc.3RkMMlWWfF9wsRplvKrK2KXoii|HpfsXSeOkuWReg38a3tUFw(IC|KPliyrlTAE5MtOllPvOAgPbGpSISFEKSbnrR<)J 

4t6EOUg%3D%30 

* https;//www .owasp.org/tndexphp/SQL.lniectlao 

* http://www.reutefs cofn/aitlcle/2014/0fi/20/us-community-health-cvbersecunty-idUSKBN0GK0Haz0iaO82O 
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Implementing multi-factor authentication on remote access devices reduces the risk of attackers gaming 
access to the network. Too often, this added layer of security is not configured in remote access 
platforms, making it a common target for attackers in past data breaches. Appendix C contains 
examples for enabling and configunng multi-factor authentication for the popular and widely deployed 
Citrix platform XenApp. Most other remote access platforms provide similar support for multi-factor 
authentication. 

Recnnimendatinns 

• Corporate users who typically access a network externally should be forced to change their login 
credentials before and after the holiday season. Sophisticated criminal groups have likely 
already purchased stolen credentials to conduct an attack this season. Forcing regular password 
changes and enforang complex password rules will help mitigate this risk. 

• Multi-factor authentication should be required to mitigate risk for remote access. Many remote 
access appliances are provisioned to accept multi-factor authentication technology (See 
Appendix C). 

• Segregate the payment processing systems from remote access applications when possible, and 
restrict the network resources remote access users can access. 

• Implement all recommended vendor patches and test to ensure the patch is successfully 
integrated. 

• Enforce up-to-date AV signatures, but do not only rely on AV signatures alone. Consider 
additional tools for the device being accessed such a host based intrusion prevention system 
(HIPSI and host based hrewalls. 

• Monitor the remote user accounts for login abnormalities such as frequent failed login attempts, 
logins during non-normal working hours, and abnormal duration of logon (e g. very long or very 
short login sessions). Additionally, host based security logs should be enabled and reviewed. 

• Lock accounts after multiple failed login attempts. The industry standard is not more than six 
failed login attempts.' 

• Disable un necessary services especially those that support remote access such as remote 
desktop protocol (RDP) and virtual network computing (VNC) when not required. 

• Monitor Firewalls for outbound traffic to suspiaous IP addresses and domains. 

Third Party Vendors 

There is a strong possibility that third party vendors such as those involved in heating ventilation and air 
conditioning (HVAC), power, or other environmental and physical security controls on the network will 
be targeted. These vendors usually have login access to a central network or penpheral network that 
can be exploited to gain lateral access for payment information.' In December 2012, the cyber security 
firm Cylance stated that it Found 12,000 US industrial control systems online indicating they can be 

' https i//wvm.pciseajrKvstandardsc3rg/docijments/PCI.DSS^va.p<lf 

*http.7/arst«;hiuca.com/samrity/2012/12/lntruflers-liack-ifKlustnal-control-4ystem-using-l)acl(door-ei(pIoity 


TIP: WHITE 


4 


136 




SEiM;t5 


eC 


R-CISC 


accessed externally and potentially targeted by an attacker.’ The following May, Cylance researchers 
demonstrated vulnerabilities in an HVAC platform and successfully shut down a major technology 
company's air conditioning.* 

Recommendations 

• Vendors should not be allowed to remote access your network with out of date operating 
systems like Windows XP. For example, require Windows 7 or newer, or Mac OS 10.8. 

• Identify third parties with remote access or physical access to the network perimeter. 

• Require vendors to use multi-factor authentication for remote access when possible. If multi- 
factor authentication is not available to those vendors, then disable remote access services 
except when specifically requested and scheduled by the vendor. Force third parties to change 
their login credentials before and after the holiday season. Sophisticated criminal groups have 
likely already purchased stolen credentials to conduct an attack this season. Forcxig regular 
password changes and enforcing complex password rules will help mitigate this risk. 

• Enforce up-to-date AV signatures, but do not only rely on AV signatures alone. 

• Establish baselines for each S"* party vendor’s normal network activity, including remote access 
and logins. Monitor their activity for anomalous behavior such as frequent failed login attempts, 
logins dunng non-normal working hours, and abnormal duration of logon. 

• Evaluate and limit third party network access privileges. For example, whitelist third party 
network addresses on a Firewall provisioned to control remote access by third parties. 

• Segment the network if possible through the use of secured VPNs with managed access control. 

• Conduct information security and nsk assessments of all third party vendors that have access to 
your network. 

PoSMananMoen f 

In preparing for the hokday season, remember, the computers that run the PoS services must be 
secured like any other computer on your network. In a recent inadent, investigated by Wapack Labs, 
the CEO of a small company used his company computer to surf the web. In doing so. a website 
containing spyware was accessed and the spyware was downloaded on the system. Unfortunately, the 
spyware downloaded the ZeuS crimeware and installed a serious piece of ransomware known as 
Crypiolocker. It cost the company S600 m ransom (paid in Sitcom) plus $3,800 in forensic and deanup 
fees. Every file on his laptop was encrypted, and when he connected to the corporate network, every 
one of his mapped dnves were encrypted -including financials -all because he surfed the web from his 
company laptop. 

During low volume hours, cashiers, clerks, and seasonal workers may find fun things to do on the web. 
Imagine if the attack described above occurred on a computer used to process payments or manage 


’ http;//www.niocaiia.coni/blori/2012/12/19/nlagara-axTrameworh-iiaci.-mor«-senouS'Uixn.flrst-U)Ouaiit 
’http:/Mww,wlied.com/2013/05/|ieoRlevcoi'lrol-sv«e'n-lMcXed/ 
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customer personally identifiable information (Pll). How much more damaging and costly would that 
attack have been? 

Recomniendattnns 

Overall 

• Inventory and conduct a review of how customer data is stored, moved, and deleted This 
should include the equipment and applications involved. It is likely that a sophisticated attacker 
will conduct reconnaissance on a target's network to identify where customer data is stored and 
how it is transmitted locally before being encrypted in a central database 

On c/ir Neavork 

• Ensure that your PoS systems have a firewall or proxy installed for protection. 

• Deploy an appropnately configured intrusion prevention system (IPS). 

I Employ proper network segmentation, such that PoS systems operate on a separate, protected 
subnet. 

• All ypN access should be performed through the IPS and must use up-to-date authentication 
mechanisms. 

• Segregate your PoS system from other network functions such as email and non-PoS related 
applications. If the PoS is attached to enterprise resource planning (ERP). inventory, or finance 
systems, use application gateways to ensure the PoS functionality is logically protected. 

• Do not use PoS terminals or other computers with access to PoS systems for Internet surfing, 
checking email, or accessing social media. 


Encrypuon 


• Confirm what data is at rest on a PoS terminal and deploy endpoint encryption for those devices. 

• Encrypting Card and PIN nformation before going into the payment terminal memory has been 
an effective technique to safeguard the payment data. There are several vendors who provide 
this technology and service. 

• Some retailers have elected to replace their in store payment terminals with new technology to 
encrypt card account numbers and other track data as It is swiped in the mag stripe reader or 
read by the chip reader. 

[NOTE: If the criminals capture the encrypted data it is typically not marketable In the criminal 

underground) 

InUmiet ACLeii and SofUvore Updolei 

• If the PoS is processed by software operating on a sir^le terminal consider not allowing that 
terminal internet access, or restricting its internet access to only those destinations required for 
PoS functions (e.g. payment gateways). 

• Consider requiring two or more employees approve any updates of the payment processing 
applications and. If possible, filter updates to that terminal’s operaUng system (OS) though a 
controlled server on the network. 
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Physical Access anh Multi-factor Authenticnllon 

• Ensure that there are rto active USB ports or other media drives open on a PoS terminal. IF 
running a Windows OS, ensure that auto-run is disabled. Insider threats, both intentional and 
unintentional, are a real danger. 

• Inform employees to be on the lookout For skimmers, USB sticks, or other devices connected to 
PoS systems. Check all PoS systems, including card swipe equipment. For connected devices on 
a regular basis (e.g. daily). 

• Implement multi-Factor authentication for the employees involved m managing the transactions 
of customer data and updating the applications protecting those transactions (See Appendix C|. 

Whim Lislltin 

• If transactions are processed by a single software program operating on a single terminal, 
ensure that only that application is allowed to run on that terminal by enforang a strict 
application white listing policy. IF possible, log and configure alert updates for the security 
operations center for any changes made to that whitelisting policy by an individual user or 
business location. 

• Record and change the default settings with any PoS hardware and software, including default 
passwords Criminal groups have likely reviewed documentation and/or purchased the same 
software in order to exploit any default settings. 

Anti Virus and Key Log/jing 

• Do not rely on AV signatures to find memory scraping malware. Criminals have customized this 
type of malware in recent attacks and likely tested this against the target network's AV solution 

• Implement anti-malware detection software that looks for anomalous and suspicious patterns 
of behavior. 

• Enforce up-to-date anti-virus signatures to find older malware that is being reused. This may be 
targeted at smaller or medium sized businesses or used by criminal elements with less resources 
and time. For a list of recently observed PoS malware families please see Appendix B. 

• Implement software to detect key-loggers on PoS terminals. 

• If possible, deploy a host based intrusion prevention system (HIPS). 


PiiinlA-ur Contact 

For law enforcement assistance, please contact your local U.S. Secret Service Field Office/Electronic 
Crimes Task Force (ECTF) or the USSS toll free number at (877) 242-3375. The U.S. Secret Service has 
taken a lead role in mitigating the threat of financial crimes since the agetKy's inceptxsn in 1S6S. As 
technology has evolved, the scope of the U5. Secret Service's mission has expanded from its original 
counterfeit currency investigations to also include emerging financial, electronic and cyber-crimes. As a 
component agency within the U.S. Department of Homeland Security, the U.S. Secret Service has 
established successful partnerships in both the law enforcement and business communities - across the 
country and around the world - in order to effectively combat financial crimes. 
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The FS-iSAC encourages member institutions to report any observed fraudulent activity through the 
FSISAC submission process and login at htto://www.fsi5ac.com/ . This reporting can be done with 
attribution or anonymously and will assist other members and their customer to prevent, detect and 
respond to similar activity. Non-members experiencing suspicious activity are encouraged to reach out 
to the FS-ISAC SOC at soctSfsisacus or to call (8771612-2622 - prompt 2, 
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Apynillx A. Mnijlt NeUvork Controls for Stn.ill Mcrchiint-v tn t^utert CustomiT DuU 
(NOTE: If you outsource your PoS solution, please work with your PoS or payment processor vendor to 
ensure that the followii^ controls are implemented] 

• Reset default passwords for vendor supplied equipment. 

• Require regular password changes (at least every 90 days) and change all passwords before and 
after the holiday season.’ 

• Enforce strong passwords (e.g. at least seven characters in length with both numeric and 
alphabetic characten).'° 

• Inform employees to be on the lookout for skimmers, USB sticks, or other devices connected to 
PoS systems. Check al) PoS systems for connected devices on a regular basis (daily is 
recommended), espeoaky ahead of the holiday season. 

• Segregate your PoS system from other computers on the network. Do not use PoS terminals for 
Internet surfing, checking email, or accessing social media. 

o If a PoS terminal must be used for legitimate non-PoS functions, implement a 

commercial or open source web protection tool on the PoS terminal to limit access to 
harmful and inappropnate websites 

• If PoS services operate on an older operating system, update them immediately and configure 
auto-updates. 

• Update all AV signatures and software on a PoS terminal daily. 

• Implement multi-factot authentication for all remote access operations. 

• Implement a unified threat management (UTM) device. 

a This is a device that ‘allows an administrator to monitor and manage a wide variety of 
security-related applications and infrastructure components through a single 
management console."*’ This simplifies the cyber security management process for any 
small and medium size business owner. 

o UTMs 'are typically purchased as cloud services or network appliances, provide firewall, 
intrusion detection, antimalware, spam and content filtering and VPN capabilities in one 
integrated package that can be installed and updated easily."” 

• If possible, hire an independent third party to assess your security needs. ” After this inspection, 
consider hinng a monthly managed security service provider (MSSP) to manage based on the 
Inspection results. MSSPs are out sourced services that manage network defenses such as 
firewalls and can typically be hired inexpensively. Below is a list of questions that the SANS 
cyber research institute has published for businesses evaluating a potential MSSP. ” 


* littpsV/www.pcisecijritYStandai(lsorg/dKumentVPCI.OS5_v3.pdf 
“ibW. 

° htqiy/s«arclimidnurlietsecuritv.leciitargeLcoiiVdefiiiition/unified-ti>reat-mxiiag»in«nt 



“Mlp://www.dar1(reading.com/nsl!/how-to-pick-the-bcst-mS5p-lor-your-5mb/d/d-id/1138968? 

“ibid. 
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VISSP Evaluation Questions^ 

Business managers should consider the following questions before deading to hire an MSSP. 

• Does the service provider offer an assortment of solutions that can readily address a variety of 
environments or do they specialite in a one size fits all solution? 

o No service provider can be in expert in all possible solutions. They shoidd, however, be 
able to offer a choice of products that can complement each other and provide a 
solution that offers an optimal amount of protection. ^ 

• Do not overlook physical security. How secure is the facility from which the service is being 
provided? 

0 Does the service provider utilize proper access controls and is access to management 
consoles provided only to those who need it.^^ 

• What provisions are in place with respect to fault tolerance? How often are the security devices 
being polled and what process Is in place for notification should a problem occur? 

3 While a device may appear to be *'up," any number of problems could arise. Is logging 
being checked periodically and how? Are critical processes that run on the sensor being 
monitored to determine if they are functioning properly? What about routine 
maintenarKe of the device such as checking for disk space? Is there a centralized log 
server in the event that the security device, itself, is compromised? How much activity is 
kept, that ts, how far back is togging maintained? If a compromise is discovered well 
after the fact, can accurate data be pulled to help in the investigation?^ 

• Does the service provider have out-of-band access to managed devices? 

o IS there built-in redundancy or is the provider “blinded'’ and unable to access devices 
and receive alarms? If you run a high-profile site this is a potential point of attack. 

• Does the company specialize in security or is it merely and add-on to an existing business? 

• How does the MSSP handle staff turnover? Are passwords routmely changed and do they utilize 
common passwords aaoss multiple devices? Do they perform background checks on 
prospective employees and are they bonded?^^ 

• What emphasis if any does the provider place on certifications? 

0 While certifications do not in and of themselves guarantee expertise, they do provide a 
means of determining the level of knowledge that the staff has regarding intrusion 
detection. Look for non-vendor speciftc certifications, as well as vendor-specific 
certifications.’^ 


15 

IS 

17 

IS 

II 

70 

21 


http7/www..saRS.org/sccuntv-rcsourccs/ldfaq/mssp.php 

Ibid. 

Ibid. 

Ibid. 

Ibid. 

Ibid. 

Ibid. 
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• To what extent does the service provider provide continuing education or training for staff 
members? 

o Intrusion detection is a field that is rapidly advancing. The service provider should be 
able to readily address and provide information regarding new exploits. Part of the 
benefit of out-sourcing intrusion detection is that the service provider should be able to 
provide up-to-date informalion that would be beneficial in addressing new threats By 
providing a proactive approach rather merely reactive, they can more readily determine 
"patterns of activity” that could pose a threat to an enterprise ahead of time.” 

• Is the service provider capable of writing custom signatures that can address "zero-day exploits" 
or are they limited to the signature that are proyided by the manufacturer of the intrusion 
detection system. What assurance Is there that the devices that are being maintained are 
continually updated with the latest signatures? 

0 An intrusion detection system that is not updated is comparable to virus protection 
software that is out of date. It can provide a false sense of security that can fail when it 
Is neetied the most” 


" Ibid. 
”lbid. 
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Appciiillx B. liiit lit Coitniion PiiS Malwar e Fanuly Namex 

Table 1 contains a list of common PoS malware family names that have been used In the past. 
Sophisticated aiminals will likely continue to use malware from one or more of these families, after 
testing a target’s AV solution against their samples to evade detection. 

[NOTE: Sophisticated criminals can make minor changes to existing families of malware, making it 
undetectable by signature-based AV solutions.] 


Table 1. list of Common PoS Malware Family Names 


Family Name 

DesaipUon 

Alina” 

A family of PoS malware that targets appHcations containing Track data, applies 
basic encryption and exfiltrates the information. This malware has a command & 
control structure, which allows it to search for and install automatic updates when 
they are released 

Backoff PoS'^' 

These variations have been seen as far back as October 2013 and continue to 
operate as of July 2014. In total, the malware typically consists of the following 
four capabilities. An exception is the earliest witnessed variant (1.4) which does 
not include keylogging functionality. Additionally, LBS 'net' removed the 
explorer.exe injection component: 

• Soaping memory lor track data 

• Lagging keystrokes 

• Command & control (Q) communication 

• Iniecting malicious stub into explorer.exe 

Black PoS/Kaptoxa'' 

BlackPOS infects computers running Windows that are part of PoS systems and 
have card readers attached to them. These computers are either infected by 
insiders or found during automated Internet scans because they have 
unpatched vulnerabilities in the operating system or use weak remote 
administration credentials. Once Installed on a PoS system, the malware identifies 
the running process associated with the credit card reader and steals payment 
card Track land Track 2 data from its memory. BlackPoS is a BAM saaper, or 
memory-parsing software, which grabs encrypted data by capturing it when it 
travels through the live memory of a computer, where it appears in plain text. The 
captured information Is uploaded to a remote server via File Transfer Protocol 
(FTP). 

Chewbacca’' 

Chewbacca appears to have been a short-lived malware designed to attack PoS 
systems and exfiltrate data over TOR. The malware itself has been well 
documented. 

Decebal'* 

Romanian PoS malware released on January 3, 2014. It is written in Visual Basic 
Saipt and is capable of checking to see if the computer on which it's deployed is 
running any sandboxing or reverse engineering software. Decebal can also 
validate that the stolen payment card numbers are legitimate. 


^ iittpsVAirww.hadisijrfer com/speoal-report-iroint-of-sale-iTialware.iidf 
^ hupsV/www lJS-cart.gov/ncas/al4rts/TA14-212A 
^hapsV/wvrw.hacksurfer.coin/siJecial-report'POint-of-sale-nialwaie.iidf 
”litip7/P8gesarliornatwofliicom/rs/aibor/lmages/Uncoverlng PoS Mahvart ixlf 
**littiKV/wv(W.hacksijrfar.cxim/5|)eoal-repoft-poJntcjf-5ale-malware,p<Jf 
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Derter^* 

First discovered in December 2012. Dexter is a custom made malware tool 
used to infect point of sale systems. Aaording to Seculert, Dexter steals the 
process list from the infected machine, while parsing memory dumps of specific 

POS software related processes, looking for Track 1 /Track 2 aedit card data. 

JackPoS" 

JadcPoS was Ifkely first developed In October 2014 and developed through early 
2014.^* There are at least thirty three distinct malware samples of JackPoS In this 
timeframe.*’ Some indicators suggest that JackPoS has evolved from, or was 
inspired by the Alma PoS malware.*^ JackPoS is distnbuted by cybercrimlnals 
through drive >by attacks.^ The malware is sometimes disguised as the Java 

Update Scheduler.*^ "Several of the found loaders used in detected 'Dnve-by' 
download attack are written using obfuscated compiled Autolt script, which 
became quite popular method to avoid M detection in order to unpack additional 
binary maliaous code and execute further instructions received from the 
command and control server. 'The bad actors have used some sophisticated 
scanning, loading, and propagating techniques to attack these vectors to look to 
get into the merchants system thru external penmeters and then move to card 
processing areas, which were possibly not separated m compliance with PCI 
polices. 

PoSCard Stealer*® 

PoSC^rdStealer is a name used by ESCT, which appears lo cover several types of 

PoS malware. Where the malware doesn't have another name known to A5ERT, 
we will use “PoSCardStealer". Other antiunalware vendors use different naming 
schemes such as Troj/Trackt-K. 

vSkimmer” 

vSkimmer was disclosed by McAfee in March 2013. vSkimmer searches program 
memory for track data; however, it only looks for data matching Track 2 format In 
addition to using HTTP to exfiltrate stolen data to a C2 server, vSkimmer can be 
configured to copy data to a specific USB device if it Is unable to connect to the 
Internet. vSkimmer dumps its stolen data to a log file on a USB drive with a certain 
volume name. 


'*https7/www.u&<enf^/ncas/al«rt&/r/U4-0Q2A 

^hap://pages.aft]Ofnetwoflttcom/rVarbor/im8BeVUr»covenn]|,Pa5.Malware.p<)f ana 

http://news.soft peaia.cofn/rwwf/New-POS'Malwar^'JackPOS'TarfvtvCompanics-in 'Canada -8 rsiif-indta >8 nd-Spain- 

42S87l.shtmi 

^'http;//pages.arbornetworb.ccm/rs/artx>r/itna^Uncovennx MaKf^re.pdf 

”lW 

"ibtd, 

**hap;//news3oftpidia.cofn/news/New*POS>Malwaie>JMliPOS-Targiet5<ofnpinies4n-Onada'BraM4n(ha-arN]<So«n- 


42Sa71 shtmJ 

*IW 

"ifaid 

^^h(tp;//tMww.sicureworkseoffVcvbef-threaHmelli0enceAh'Mts/potnc-oMate-mal«MarMhr«ats/ 
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Appendix C. Mulll-FACtor A ut henllcatlun 

This IS an example of multi-factor authentication for a Qtrix application. 

|NOTT; Many Citrix remote access and virtualization solutions should support multi-factor 
authentication.] 

Enable Two-Factor Authentication^'' 

Use the Authentication Methods task in the Citrix Web Interface Management console to enable two- 
factor authentication for users, if required. 

1. On the Windows Start menu, click All Programs > Citrix > Management Consoles > Citrix Web 
Interface Management. 

2. In the left pane of the Citrix Web Interface Management console, dick XenApp Web Sites and 
select your site in the results pane. 

3. In the Action pane, dick Authentication Methods and select the Explicit check box. 

4. Ciick Properties and select Two-Factor Authentication. 

5. Select the type of two-factor authentication you want to use from the Two-factor setting list and 
configure any additional settings as appropriate. 

Configuring Two-Factor Authentication 

The following steps were recommended by the security firms Actividentity Channel and Duo Security for 
configuring Citrix XenApp.*' These include the following steps: configure Citrix radius settir^ s, configure 
RADIUS shared Secret, and configure two-factor authentication settings. 


For the XenApp: 


1. Log in to the Citrix Web Interface Management Console. 

2. Navigate to XenApp Web Sites and click on Authentication Methods 

3. Confirm that only Explicit is checked and dick properties. 


Figure 1. Configure Authentication Methods for XenApp" 



*'’littp://siip|Mrtxxrn.coiTi/|]roddoaAopK/web-interface-iiar4wld(/wi-enable-two-ractor-auttienticatiofvgrarHden.htnii 
*' http://wviw.YOUtijbea)m/watch?v-2Rbl8ajuJ00and https://wiNW.duosacurity.coin/ilocs/atrix_web_intarface 
** hctpsy/www.duosacuntv.coin/docs/dtrix_wab intefface 
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4. Click on Two-Factor Authentication and select RADIUS for the Two-factor Setting. 

5. Add a RADIUS server and enter the AuthProxy IP address as the server address and 1812 for the 
server port. Configure the Timeout to 60 seconds and save your configuration. 

Figure 2. XenApp Two-Factor Authentication" 



“ihd. 
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Figure 3. Adding the Radius Server IP Address" 



Figure 4. AuthProxy Configuration* 
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6. Create a new text file In the Citrix Web Interface \conf folder called radius_secret.txt. 

Type the radiu5_secret from the AuthProxy configuration In the radius_secret.txt file. 

(The location for this file is given by the RADIUS_SECRET_PATH configuration value in the web.config file 
(for sites hosted on IlSj or web.xml file (for sites hosted on Java application servers). The location given 
is relative to the \conf folder for sites hosted on IIS and relative to the /WEB.INF directory for sites 
hosted on Java application servers.) Typically the location will be similar to: 
C:\inetpub\wwwroot\Citrix\Xenapp\conf. 


“llwJ, 

“ibW 
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7. On the Citrix Web Interface server open the web.config (IIS Hosted) or web.xnil (Java Apps) file 
and add the Qtrix Web Interface IP address as the “RADIUS_NAS_IP_ADORE5S". 

Figure S. Adding the Citrix Interface IP Address'* 

sadU X«y>'IUUICIIS_seeitEt].PAtH’ T*lu>'*rridi>u_natrT.txt.* 
t> ~ 

odd x*y=*iijienis_iud_ieaieiFuit’ niuea** /> 

UM Uy«'IUU>nia3KM'lr_M>BltZJ3' V»lu*>'l0.1.t0.a)l* 7> 
sad) kay«*a0rtii8ein'eK,<Mioi>' 

Tml)*s*/litmlrB«rvszexEsr.htaI” /> 


Two-Factor AulhendcaOon TnIrens atirhendcation methods for XenApp Web Sites*’ 

• Aladdin SafeWord for CHrix. An authentication method that uses alphanumeric codes 
generated by SafeWord tokens and, optionally, PIN numbers to create a passcode. Users enter 
their domain credentials and SafeWord passcodes on the Logon screen before they can access 
applications on the server. 

• RSA SecurlD. An authentication method that uses numbers generated by ftSA SecurlD tokens 
{tokencodes) and PIN numbers to create a PASSCODE, Users enter their user names, domains, 
passwords, and RSA SecurlD PASSCODES on the Logon saeen before they can access resources 
on the server. When creating users on the RSA ACE/Server, user logon names must be the same 
as their domain user names. Note: When using RSA SecurlD authentication, the system can 
generate and display a new PIN to the user. This PIN appears for 10 seconds or until the user 
dicks OX or Cancel to ensure that the PIN cannot be viewed by others. This feature is not 
available on PDAs. 

• RADIUS server. An authentication method that uses the Remote Authentication Dial-In User 
Service (RADIUS) authentication protocol (as opposed to proprietary agent software). Both 
SafeWord and SecurlD can be Installed and configured to be presented as a RADIUS server. For 
Web Interface for Java Application Servers, RADIUS authentication IS the only two-factor 
authentication option available. 


*lbid, 

** ietP'./JsuoporLcitjn.coni/ixaililocs/tDpic/wffilMnteffice-iiardwKlv'wKoriripjre.two-ractof-autiieiitiMtion.gransden hunl 
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